Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual page 76

• The names both of the client and the ticket-granting server
• The current time
• A lifetime assigned to this ticket
• The client's IP address
• The newly-generated session key
This ticket is then sent back to the client together with the session key, again in encrypted
form, but this time the private key of the client is used. This private key is only known
to Kerberos and the client, because it is derived from your user password. Now that the
client has received this response, you are prompted for your password. This password
is converted into the key that can decrypt the package sent by the authentication server.
The package is "unwrapped" and password and key are erased from the workstation's
memory. As long as the lifetime given to the ticket used to obtain other tickets does
not expire, your workstation can prove your identity.
6.2.2 Requesting a Service
To request a service from any server in the network, the client application needs to
prove its identity to the server. Therefore, the application generates an authenticator.
An authenticator consists of the following components:
• The client's principal
• The client's IP address
• The current time
• A checksum (chosen by the client)
All this information is encrypted using the session key that the client has already received
for this special server. The authenticator and the ticket for the server are sent to the
server. The server uses its copy of the session key to decrypt the authenticator, which
gives it all information needed about the client requesting its service to compare it to
that contained in the ticket. The server checks if the ticket and the authenticator originate
from the same client.
64 Security Guide