Indiana University
University Information Technology Services
  
What are archived documents?

What is Kerberos?

Developed by MIT, Kerberos is a system that provides authenticated access for users and services on a network. At Indiana University, your Kerberos identity is established through your Network ID. Thus, Kerberos is used to access the dial-in modem pools and Account Management Service.

With Kerberos, by exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. For a program to take advantage of Kerberos, it must be Kerberized, which means that it can obtain tickets from the Kerberos server and negotiate with a Kerberos-aware service. Just about any program can be Kerberized, including web browsers, telnet applications, POP email clients, and print utilities. Similarly, services that can be made Kerberos-aware include web sites, printers, file servers, and POP mail servers. Though it's a fairly complex protocol, following are a few basic characteristics:

  • Every user and every service has a password. Only the owner of the password and the Kerberos server know this password. Passwords must remain confidential, as Kerberos provides no inherent protection against those that are stolen.

  • When you use a program that makes an initial ticket request to the Kerberos server, it will ask you for your Kerberos username and password. The program will then send a ticket request to the Kerberos server. The server will respond by sending you a ticket-granting ticket that it encrypts by plugging your password into an encryption algorithm. Because only you and the Kerberos server know what your password is, only you will be able to decrypt and use the ticket-granting ticket. This ticket-granting ticket normally expires eight hours after it is issued.

  • Once you have a ticket-granting ticket, you may then use Kerberized programs to request services from Kerberos-aware servers. The Kerberized program sends your ticket-granting ticket to a ticket-granting server (usually the Kerberos server itself) with a request to transact with a specific service (e.g., a printer, a POP email server). The server gives you a ticket that lets you conduct a transaction with the service and also insures that both you and the service are who you say you are.

  • Kerberos gives you the option to encrypt data sent over the network. This means that the entire transaction between you and a Kerberos-aware service will be in unreadable ciphertext rather than plaintext.

For more information about Kerberos, consult the newsgroup comp.protocols.kerberos or MIT's Kerberos page.

Also see:

This is document acjj in domain all.
Last modified on July 01, 2008.
Please tell us, did you find the answer to your question?