Red Hat LINUX 7.2 Reference Manual page 142

142
On a "normal" network which uses passwords to authenticate users, when a user requests a network
service that requires authentication, the user is prompted to type in their password. The password is
transmitted in plaintext over the network, and access to the network service is granted.
As mentioned previously, the central problem solved by Kerberos is how to use passwords for au-
thentication without sending them over the network. On a kerberized network, the Kerberos database
contains principals and their keys (for users, their keys are derived from their passwords). The Ker-
beros database also contains keys for all of the network services.
When a user on a kerberized network logs in to their workstation, their principal is sent to the Key
Distribution Center (KDC) as a request for a Ticket Granting Ticket (TGT). This request can be sent
by the login program (so that it is transparent to the user) or can be sent by the kinit program after
the user logs in.
The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT,
encrypts it using the user's key, and sends it back to the user.
The login program or kinit decrypts the TGT using the user's key (which it computes from the user's
password). The TGT, which is set to expire after a certain period of time, is stored in your credentials
cache. An expiration time is set so that a compromised TGT can only be used for a certain period of
time, usually eight hours (unlike a compromised password, which could be used until changed). The
user will not have to re-enter their password until the TGT expires or they logout and login again.
When the user needs access to a network service, the client uses the TGT to request a ticket for the
service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for
the desired service, which is used to authenticate the user.
As you might have guessed, this explanation is a simplified description of Kerberos authentication
events. If you need a more in-depth explanation of how Kerberos works, see Section 8.6, Additional
Resources.
Kerberos depends on certain network services to work correctly. First,
Kerberos requires approximate clock synchronization between the machines
on your network. If you have not set up a clock syncing program for your
network, you will need to do so. Also, since certain aspects of Kerberos
rely on the Domain Name System (DNS), be sure that the DNS entries and
hosts on your network are all correctly configured. See the Kerberos V5
System Administrator's Guide, provided in PostScript and HTML formats,
in
more information on these issues.
/usr/share/doc/krb5-server- <version-number> ,
Chapter 8:Using Kerberos 5 on Red Hat Linux
Note
for