Kerberos Terminology - Red Hat ENTERPRISE LINUX 3 Reference Manual

266
Kerberos assumes that each user is trusted and is using an untrusted host on an untrusted network.
•
Its primary goal is to prevent unencrypted passwords from being sent across that network. However,
if anyone other than the proper user has access to the one host that issues tickets used for authenti-
cation — called the key distribution center (KDC) — the entire Kerberos authentication system is
at risk.
For an application to use Kerberos, its source must be modified to make the appropriate calls into
•
the Kerberos libraries. Applications modified in this way are considered to be kerberized. For some
applications, this can be quite problematic due to the size of the application or its design. For other
incompatible applications, changes must be made to the way in which the server and client side
communicate. Again, this may require extensive programming. Closed-source applications that do
not have Kerberos support by default are often the most problematic.
Kerberos is an all or nothing solution. Once Kerberos is used on the network, any unencrypted
•
passwords transferred to a non-kerberized service is at risk. Thus, the network gains no benefit from
the use of Kerberos. To secure a network with Kerberos, one must either use kerberized versions of
all client/server applications which send unencrypted passwords or not use any such client/server
applications at all.

18.2. Kerberos Terminology

Kerberos has its own terminology to define various aspects of the service. Before learning how ker-
beros works, it is important to learn the following terms.
Authentication Server (AS)
A server that issues tickets for a desired service which are in turn given to users for access to the
service. The AS responds to requests from clients who do not have or do not send credentials with
a request. It is usually used to gain access to the Ticket-granting Server (TGS) service by issuing
a Ticket-granting Ticket (TGT). The AS usually runs on the same host as the Key Distribution
Center (KDC).
ciphertext
Encrypted data.
client
An entity on the network (a user, a host, or an application) that can receive a ticket from Kerberos.
credentials
A temporary set of electronic credentials that verify the identity of a client for a particular service.
Also called a ticket.
credential cache or ticket file
A file which contains the keys for encrypting communications between a user and various net-
work services. Kerberos 5 supports a framework for using other cache types, such as shared
memory, but files are more thoroughly supported.
crypt hash
A one way hash used to authenticate users. While more secure than unencrypted data, it is fairly
easy to decrypt for an experienced cracker.
Chapter 18. Kerberos