How Kerberos Works

Now that you have heard a few of the terms that Kerberos uses, here is a simplified explanation of how a Kerberos authentication system works:

On a "normal" network which uses passwords to authenticate users, when a user requests a network service that requires authentication, the user is prompted to type in their password. Their password is transmitted in plaintext over the network, and access to the network service is granted.

As mentioned previously, the central problem solved by Kerberos is how to use passwords for authentication without sending them over the network. On a kerberized network, the Kerberos database contains principals and their keys (for users, their keys are derived from their passwords). The Kerberos database also contains keys for all of the network services.

When a user on a kerberized network logs in to their workstation, their principal is sent to the Key Distribution Center (KDC) as a request for a Ticket Granting Ticket (TGT). This request can be sent by the login program (so that it is transparent to the user) or can be sent by the kinit program after the user logs in.

The KDC checks for the principal in its database. If the principal is found, the KDC creates a TGT, encrypts them using the user's key, and sends it back to the user.

The login program or kinit decrypts the TGT using the user's key (which it computes from the user's password). The TGT, which is set to expire after a certain period of time, is stored in your credentials cache. An expiration time is set so that a compromised TGT can only be used for a certain period of time, usually eight hours (unlike a compromised password, which could be used until changed). The user won't have to re-enter their password until the TGT expires or they logout and login again.

When the user needs access to a network service, the client uses the TGT to request a ticket for the service from the Ticket Granting Service (TGS), which runs on the KDC. The TGS issues a ticket for the desired service, which is used to authenticate the user.

As you might have guessed, this explanation is a simplified description of Kerberos authentication events. If you need a more in-depth explanation of how Kerberos works, see the section called Additional Resources.

NoteNote
 

Kerberos depends on certain network services to work correctly. First, Kerberos requires approximate clock synchronization between the machines on your network. If you haven't set up a clock syncing program for your network, you will need to do so. Also, since certain aspects of Kerberos rely on the Domain Name System (DNS), be sure that the DNS entries and hosts on your network are all correctly configured. See the Kerberos V5 System Administrator's Guide, provided in PostScript and HTML formats, in /usr/share/doc/krb5-server-<version-number>, for more information on these issues.