Chapter 3. Using Kerberos
3.1. About Kerberos
3.1.1. How Kerberos Works
kinitprogram after the user logs in.
Figure 3.1. Kerberos Authentication, in Steps
kinitprogram on the client then decrypts the TGT using the user's key, which it computes from the user's password. The user's key is used only on the client machine and is not transmitted over the network. The ticket (or credentials) sent by the KDC are stored in a local file, the credentials cache, which can be checked by Kerberos-aware services.
kinit; this is kept in a keytab.
- Approximate clock synchronization between the machines on the network can be set up using a service such as
ntpd, which is documented in
- Both DNS entries and hosts on the network must be properly configured, which is covered in the Kerberos documentation in
3.1.2. Considerations for Deploying Kerberos
- Migrating user passwords from a standard UNIX password database, such as
/etc/shadow, to a Kerberos password database can be tedious. There is no automated mechanism to perform this task. This is covered in question 2.23 in the online Kerberos FAQ for the US Navy.
- Kerberos assumes that each user is trusted but is using an untrusted host on an untrusted network. Its primary goal is to prevent unencrypted passwords from being transmitted across that network. However, if anyone other than the proper user has access to the one host that issues tickets used for authentication — the KDC — the entire Kerberos authentication system are at risk.
- For an application to use Kerberos, its source must be modified to make the appropriate calls into the Kerberos libraries. Applications modified in this way are considered to be Kerberos-aware, or kerberized. For some applications, this can be quite problematic due to the size of the application or its design. For other incompatible applications, changes must be made to the way in which the server and client communicate. Again, this can require extensive programming. Closed-source applications that do not have Kerberos support by default are often the most problematic.
- Kerberos is an all-or-nothing solution. If Kerberos is used on the network, any unencrypted passwords transferred to a non-Kerberos aware service are at risk. Thus, the network gains no benefit from the use of Kerberos. To secure a network with Kerberos, one must either use Kerberos-aware versions of all client/server applications that transmit passwords unencrypted, or not use that client/server application at all.
3.1.3. Additional Resources for Kerberos
Table 3.2. Important Kerberos Manpages
|kerberos||An introduction to the Kerberos system which describes how credentials work and provides recommendations for obtaining and destroying Kerberos tickets. The bottom of the man page references a number of related man pages.|
|kinit||Describes how to use this command to obtain and cache a ticket-granting ticket.|
|kdestroy||Describes how to use this command to destroy Kerberos credentials.|
|klist||Describes how to use this command to list cached Kerberos credentials.|
|kadmin||Describes how to use this command to administer the Kerberos V5 database.|
|kdb5_util||Describes how to use this command to create and perform low-level administrative functions on the Kerberos V5 database.|
|krb5kdc||Describes available command line options for the Kerberos V5 KDC.|
|kadmind||Describes available command line options for the Kerberos V5 administration server.|
|krb5.conf||Describes the format and options available within the configuration file for the Kerberos V5 library.|
|kdc.conf||Describes the format and options available within the configuration file for the Kerberos V5 AS and KDC.|