Users' View Of Kerberos - Novell LINUX ENTERPRISE DESKTOP 11 - SECURITY GUIDE 17-03-2009 Manual

• The client's principal
• The server's principal
• The current time
• The client's IP address
• The newly-generated session key
The new ticket is assigned a lifetime, which is the lesser of the remaining lifetime of
the ticket-granting ticket and the default for the service. The client receives this ticket
and the session key, which are sent by the ticket-granting service, but this time the answer
is encrypted with the session key that came with the original ticket-granting ticket. The
client can decrypt the response without requiring the user's password when a new service
is contacted. Kerberos can thus acquire ticket after ticket for the client without bothering
the user more than once at login time.
6.2.5 Compatibility to Windows 2000
Windows 2000 contains a Microsoft implementation of Kerberos 5. Because SUSE®
Linux Enterprise Desktop uses the MIT implementation of Kerberos 5, find useful in-
formation and guidance in the MIT documentation. See
mation"

6.3 Users' View of Kerberos

Ideally, a user's one and only contact with Kerberos happens during login at the work-
station. The login process includes obtaining a ticket-granting ticket. At logout, a user's
Kerberos tickets are automatically destroyed, which makes it difficult for anyone else
to impersonate this user. The automatic expiration of tickets can lead to a somewhat
awkward situation when a user's login session lasts longer than the maximum lifespan
given to the ticket-granting ticket (a reasonable setting is 10 hours). However, the user
can get a new ticket-granting ticket by running kinit. Enter the password again and
Kerberos obtains access to desired services without additional authentication. To get a
list of all the tickets silently acquired for you by Kerberos, run klist.
66 Security Guide
(page 67).
Section 6.4, "For More Infor-