Kerberos differs from username/password
authentication methods. Instead of authenticating each user to each network
service, Kerberos uses symmetric encryption and a trusted third party (a KDC),
to authenticate users to a suite of network services. When a user authenticates
to the KDC, the KDC sends a ticket specific to that session back to the user's
machine, and any Kerberos-aware services look for the ticket on the user's
machine rather than requiring the user to authenticate using a password.
When a user
on a Kerberos-aware network logs in to their workstation, their principal is sent
to the KDC as part of a request for a TGT from the Authentication Server. This
request can be sent by the log-in program so that it is transparent to the
user, or can be sent by the kinit program after the user logs in. The KDC then checks
for the principal in its database. If the principal is found, the KDC creates a
TGT, which is encrypted using the user's key and returned to that user. The login or kinit
program on the client then decrypts the TGT using the user's key, which it
computes from the user's password. The user's key is used only on the client machine
and is not transmitted over the
network. The
TGT is set to expire after a certain period of time (usually ten to twenty-four
hours) and is stored in the client machine's credentials cache. An expiration
time is set so that a compromised TGT is of use to an attacker for only a short
period of time. After the TGT has been issued, the user does not have to
re-enter their password until the TGT expires or until they log out and log in
again. Whenever the user needs access to a network service, the client software
uses the TGT to request a new ticket for that specific service from the TGS.
The service ticket is then used to authenticate the user to that service
transparently.
Great information, thanks for sharing.
NO.1 CLOUD SERVICES | Oracle Cloud PAAS | MASSIL TECHNOLOGIES