Kerberos is one of the most important authentication systems available to developers and network architects. It’s aim is simple – to provide a single sign on to an environment comprising of multiple systems and protocols. Kerberos therefore allows mutual authentication and importantly secure encrypted communication between both users and systems. It’s different too many authentication systems in that it does not rely on security tokens but relies on each user or system to maintain and remember a unique password.
When a user authenticates against the local operating system, normally there is an agent running which is responsible for sending an authentication request to a central Kerberos server. This authentication server responds by sending the credentials in encrypted format back to the agent. This local agent then will attempt to decrypt the credentials using the password which has been supplied by the user or local application. If the password is correct, then the credentials can be decrypted and the user validated.
After successful validation the user is also given authentication tickets which allow them to access other Kerberos- authenticated services. In addition to this, a set of cipher keys is supplied which can be used to encrypt all the data sessions. This is important for security which is especially relevant when dealing with a wide range of different applications and systems with a single authentication system.
After validation is completed also, no further authentication is necessary – the ticket will allow access until it expires. So although the user does need to remember a password to authenticate, only one is required to access any number of systems and shares on the network. There are a lot of configuration options to finely tune Kerberos particularly in a Windows environment where Kerberos is used primarily to access Active Directory resources. You can restrict access based on a whole host of factors in addition to the primary authentication. It’s effective in authentication in a fluid environment where users may log on to many different systems and applications, even when these systems can keep changing their IP address (note: http://www.changeipaddress.net/ )
There is one single reason that Kerberos has become so successful, it’s because it’s freely available. Anyone can download and use the code free of charge, which means it’s widely utilised and is constantly developed and improved too. There are many commercial implementations of Kerberos such as from Microsoft and IBM (Global Sign On) these normally have additional features and a management system. There have been concerns over various security flaws in Kerberos however because it is open source these have all been fixed in the latest implementation Kerberos V.
George Hempseed
Author: BBC iPlayer in Ireland