Lesson 9

Date: 3/30/2011
Kerberos Authentication
Linux for Engineering and IT Applications


Kerberos ticket exchange sequence.


        Authentication procedure:
1. A client sends the user principal (kerberos account) name to the KDC.
2. The KDC (AS) responds with a pre-authentication request.
3. The client sends the Authenticator: the client's principal and the time stamp, encrypted with the user's key (password hash).
4. The KDC (AS) sends:
  •   the Ticket Granting Ticket (TGT), encrypted with the TGS key
  •   and a client/TGS session key, encrypted with the user's key.
    The client decrypts the session key and caches the TGT.
    The TGT includes the TGS copy of the client/TGS session key, client principal, ticket lifetime, KDC timestamp, client IP address.
  • Kerberized services request procedure:
    5. The client sends to KDC (TGS):
  •   TGT
  •   Authenticator: client principal and the time stamp, encrypted with with the client/TGS session key
  •   desired service principal name.
    6. KDC (TGS) validates the TGT and the Authenticator, then sends the following to the client:
  •   Service ticket, encrypted with the Server key. The Service ticket includes client/Server session key, client principal, ticket lifetime, KDC timestamp, client IP address.
  •   client/Server session key, encrypted with the client/TGS session key.
    7. The client sends the following to the application server:
  •   the Service ticket
  •   Authenticator (the client principal and time stamp encrypted with the client/Server session key).
    8. The application server decrypts the Service ticket with its key stored in the keytab, /etc/krb5.keytab, validates the authenticator and sends a confirmation (client time stamp + 1), encrypted with the client/Server session key.
    9. The client decrypts the confirmation by the client/Server session key and checks whether the timestamp is correctly updated. If so, the client starts issuing service requests.


  • Take me to the Course Website