How Kerberos Works

Now that the Kerberos terminology has been defined, the following is an overview of how a Kerberos authentication system works.

On a non-kerberized network, when a user requests a network service that requires authentication, the user is prompted to type in their password. The password is then transmitted in clear-text or as a crypt hash over the network to allow access to the service. Unfortunately, this means that anyone intercepting packets on the network can potentially find out the username and password of users on the network.

Kerberos deal with this threat by using symmetric encryption and a trusted third party — known as the Key Distribution Center or KDC — to authenticate users on a network to services on a network. Once authenticated, Kerberos stores a ticket specific to that session on the user's machine and any kerberized service will look for this ticket rather than asking the user to authenticate using a password.

When a user on a kerberized network logs in to their workstation, their principal is sent to the Key Distribution Center as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program so that it is transparent to the user or can be sent by the kinit program after the user logs in.

The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts it using the user's key and sends it back to the user.

The login program or kinit decrypts the TGT using the user's key (which it computes from the user's password). The TGT is set to expire after a certain period of time and stored in the client machine's credentials cache. The expiration time is set so a compromised TGT can only be used for a certain period of time (usually eight hours). This is safer than tradition password model because a compromised password can be used until it is changed. Once the TGT is issued, the user will not have to re-enter their password to the KDC until the TGT expires or they logout and login again.

When the user needs access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for the desired service, which is then used to authenticate the user.

WarningWarning
 

The Kerberos system can be compromised anytime any user on the network authenticates against a non-kerberized service by sending a password in clear text. therefore use of non-kerberized versions of services should be discouraged. Such services include telnet and ftp. Use of other secure protocols, such as OpenSSH or SSL secured services, however, is acceptable.

This, of course, is a broad overview of how Kerberos authentication on a network would typically work. For a more in-depth look at Kerberos authentication, refer to the Section called Additional Resources.

NoteNote
 

Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate clock synchronization between the machines on the network. A clock syncing program should be set up for the network. Since certain aspects of Kerberos rely on the Domain Name Service (DNS), be sure that the DNS entries and hosts on the network are all properly configured. See the Kerberos V5 System Administrator's Guide, provided in PostScript and HTML formats in /usr/share/doc/krb5-server-version-number, (where version-number is the version installed on the system) for more information.