How Kerberos Works - Novell LINUX ENTERPRISE SERVER 10 SP2 - INSTALLATION AND ADMINISTRATION Installation Manual

replay
Almost all messages sent in a network can be eavesdropped, stolen, and resent. In
the Kerberos context, this would be most dangerous if an attacker manages to obtain
your request for a service containing your ticket and authenticator. He could then
try to resend it (replay) to impersonate you. However, Kerberos implements several
mechanisms to deal with that problem.
server or service
Service is used to refer to a specific action to perform. The process behind this action
is referred to as a server.

45.2 How Kerberos Works

Kerberos is often called a third party trusted authentication service, which means all
its clients trust Kerberos's judgment of another client's identity. Kerberos keeps a
database of all its users and their private keys.
To ensure Kerberos is worth all the trust put in it, run both the authentication and ticket-
granting server on a dedicated machine. Make sure that only the administrator can access
this machine physically and over the network. Reduce the (networking) services run
on it to the absolute minimum—do not even run sshd.
45.2.1 First Contact
Your first contact with Kerberos is quite similar to any login procedure at a normal
networking system. Enter your username. This piece of information and the name of
the ticket-granting service are sent to the authentication server (Kerberos). If the authen-
tication server knows about your existence, it generates a random session key for further
use between your client and the ticket-granting server. Now the authentication server
prepares a ticket for the ticket-granting server. The ticket contains the following infor-
mation—all encrypted with a session key only the authentication server and the ticket-
granting server know:
• The names both of the client and the ticket-granting server
• The current time
• A lifetime assigned to this ticket
Network Authentication—Kerberos 843