ARCHIVED: What is Kerberos?

This content has been archived, and is no longer maintained by Indiana University. Information here may no longer be accurate, and links may no longer be available or reliable.

Developed by MIT, Kerberos is a system that provides authenticated access for users and services on a network. At Indiana University, your Kerberos identity is managed through Active Directory and established through your Network ID.

With Kerberos, by exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. For a client program to take advantage of Kerberos, it must be Kerberized, which means that it can obtain tickets from the Kerberos server and negotiate with a Kerberos-aware service. Most programs can be Kerberized, including web browsers, telnet applications, POP email clients, and print utilities. Similarly, services that can be made Kerberos-aware include websites, printers, file servers, and POP mail servers. Though it's a fairly complex protocol, following are a few basic characteristics:

  • Every user and every service has a password. Only the owner of the password and the Kerberos server know this password. Passwords must remain confidential, as Kerberos provides no inherent protection against those that are stolen.
  • When you use a client program that makes an initial ticket request to the Kerberos server, it will ask you for your Kerberos username and password. The program will then send a ticket request to the Kerberos server. The server will respond by sending you a ticket-granting ticket that it encrypts by plugging your password into an encryption algorithm. Because only you and the Kerberos server know what your password is, only you will be able to decrypt and use the ticket-granting ticket. This ticket-granting ticket normally expires eight hours after it is issued.
  • Once you have a ticket-granting ticket, you may then use Kerberized programs to request services from Kerberos-aware servers. The Kerberized program sends your ticket-granting ticket to a ticket-granting server (usually the Kerberos server itself) with a request to transact with a specific service (e.g., a printer, a POP email server). The server gives you a ticket that lets you conduct a transaction with the service and also ensures that both you and the service are who you say you are.
  • Kerberos gives you the option to encrypt data sent over the network. This means that the entire transaction between you and a Kerberos-aware service will be in unreadable ciphertext rather than plaintext.

For more, consult MIT's Kerberos page or the newsgroup comp.protocols.kerberos.

Related documents

Set up a Unix computer as a Kerberized application server Current Kerberos realm at IU

This is document acjj in the Knowledge Base.
Last modified on 2018-10-03 16:54:15.