How Kerberos Works - Red Hat ENTERPRISE LINUX 3 Reference Manual

268
Ticket-granting Server (TGS)
A server that issues tickets for a desired service which are in turn given to users for access to the
service. The TGS usually runs on the same host as the KDC.
Ticket-granting Ticket (TGT)
A special ticket that allows the client to obtain additional tickets without applying for them from
the KDC.
unencrypted password
A plain text, human-readable password.

18.3. How Kerberos Works

Kerberos differs from username/password authentication methods because instead of authenticating
each user to each network service, it uses symmetric encryption and a trusted third party — known as
the Key Distribution Center (KDC) — to authenticate users to a suite of network services. Once a user
authenticates to the KDC, it sends a ticket specific to that session back the user's machine and any
kerberized services look for the ticket on the user's machine rather than asking the user to authenticate
using a password.
When a user on a kerberized network logs in to their workstation, their principal is sent to the KDC in
a request for a Ticket-granting Ticket (TGT) from the Authentication Server (AS). This request can
be sent by the login program so that it is transparent to the user or can be sent by the
after the user logs in.
The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT,
which is encrypted using the user's key and returned to that user.
The login or program on the client machine then decrypts the TGT using the user's key (which
kinit
it computes from the user's password). The user's key is used only on the client machine and is not
sent over the network.
The TGT is set to expire after a certain period of time (usually ten hours) and stored in the client
machine's credentials cache. An expiration time is set so that a compromised TGT is of use to an
attacker for only a short period of time. Once the TGT is issued, the user does not have to re-enter
their password until the TGT expires or they logout and login again.
Whenever the user needs access to a network service, the client software uses the TGT to request a
new ticket for that specific service from the Ticket-granting Server (TGS). The service ticket is then
used to authenticate the user to that service transparently.
Warning
The Kerberos system can be compromised any time any user on the network authenticates against
a non-kerberized service by sending a password in plain text. Use of non-kerberized services is
discouraged. Such services include Telnet and FTP. Use of other encrypted protocols, such as SSH
or SSL secured services, however, is acceptable, though not ideal.
This is only a broad overview of how Kerberos authentication works. Those seeking a more in-depth
look at Kerberos authentication should refer to Section 18.7 Additional Resources.
Chapter 18. Kerberos
program
kinit