What is Kerberos?
Developed by MIT, Kerberos is a system that provides authenticated access for users and services on a network. At Indiana University, your Kerberos identity is managed through Active Directory and established through your Network ID.
With Kerberos, by exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. For a client program to take advantage of Kerberos, it must be Kerberized, which means that it can obtain tickets from the Kerberos server and negotiate with a Kerberos-aware service. Most programs can be Kerberized, including web browsers, telnet applications, POP email clients, and print utilities. Similarly, services that can be made Kerberos-aware include web sites, printers, file servers, and POP mail servers. Though it's a fairly complex protocol, following are a few basic characteristics:
- Every user and every service has a password. Only the owner of
the password and the Kerberos server know this password. Passwords
must remain confidential, as Kerberos provides no inherent protection
against those that are stolen.
- When you use a client program that makes an initial ticket request to the
Kerberos server, it will ask you for your Kerberos username and
password. The program will then send a ticket request to the Kerberos
server. The server will respond by sending you a ticket-granting
ticket that it encrypts by plugging your password into an encryption
algorithm. Because only you and the Kerberos server know what your
password is, only you will be able to decrypt and use the
ticket-granting ticket. This ticket-granting ticket normally expires
eight hours after it is issued.
- Once you have a ticket-granting ticket, you may then use
Kerberized programs to request services from Kerberos-aware servers.
The Kerberized program sends your ticket-granting ticket to a
ticket-granting server (usually the Kerberos server itself) with a
request to transact with a specific service (e.g., a printer, a POP
email server). The server gives you a ticket that lets you conduct a
transaction with the service and also ensures that both you and the
service are who you say you are.
- Kerberos gives you the option to encrypt data sent over the network. This means that the entire transaction between you and a Kerberos-aware service will be in unreadable ciphertext rather than plaintext.
For more, consult MIT's
Kerberos page or the newsgroup
Last modified on May 10, 2011.