ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal

      What is it?
      Mailing List
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me

  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      Kerberos 5
      NIS and LDAP
      X.509 Certificates

Valid HTML 4.01 Transitional

The Kerberos protocol and its implementations

Document version:1.0.3    (26 November 2006) Italian version
Author:Fulvio Ricciardi (
INFN - the National Institute of Nuclear Physics
Computing and Network Services - LECCE (Italy)
Note:Newer versions of this document will be available at the URL of the MIT Kerberos Consortium of the Massachusetts Institute of Technology

1 Kerberos Protocol

   1.1  Introduction
   1.2  Aims
   1.3  Definition of components and terms
      1.3.1  Realm
      1.3.2  Principal
      1.3.3  Ticket
      1.3.4  Encryption
    Encryption type
    Encryption key
    Key Version Number (kvno)
      1.3.5  Key Distribution Center (KDC)
    Authentication Server (AS)
    Ticket Granting Server (TGS)
      1.3.6  Session Key
      1.3.7  Authenticator
      1.3.8  Replay Cache
      1.3.9  Credential Cache
   1.4  Kerberos Operation
      1.4.1  Authentication Server Request (AS_REQ)
      1.4.2  Authentication Server Reply (AS_REP)
      1.4.3  Ticket Granting Server Request (TGS_REQ)
      1.4.4  Ticket Granting Server Reply (TGS_REP)
      1.4.5  Application Server Request (AP_REQ)
      1.4.6  Application Server Reply (AP_REP)
      1.4.7  Pre-Authentication
   1.5  Tickets in-depth
      1.5.1  Initial tickets
      1.5.2  Renewable tickets
      1.5.3  Forwardable tickets
   1.6  Cross Authentication
      1.6.1  Direct trust relationships
      1.6.2  Transitive trust relationships
      1.6.3  Hierarchical trust relationships
    1.7  Types of attacks on Kerberos
      1.7.1  Dictionary and Brute-Force
      1.7.2  Replay Attack
      1.7.3  DDoS

2  Kerberos Implementations

   2.1  MIT Kerberos 5
   2.2  Heimdal
   2.3  Active Directory
   2.4  AFS Kaserver
   2.5  Shishi
   2.6  Interoperability between implementations
      2.6.1  The 524 service (read as 5 to 4)
      2.6.2  Unix and Windows a common authentication
      2.6.3  Migration of an AFS cell to Kerberos 5
   2.7  A common protocol for changing password
   2.8  KDC in a Master/Slave structure

A  Appendix
   A.1  Configuring the DNS for Kerberos v5
      A.1.1  The TXT DNS record
      A.1.2  The SRV DNS record
   A.2  Authenticate and Authorize
      A.2.1  Kerberos and NIS
      A.2.2  Kerberos and LDAP
   A.3  SSH in Single Sign-On (SSO) configuration
      A.3.1  Compiling openssh with Kerberos 5 support
      A.3.2  Configuring openssh server-side config file (sshd_config)
      A.3.2  Configuring openssh client-side config file (ssh_config)
   A.4  Authentication frames authenticating with Kerberos 5
      A.4.1  GSS-API (Generic Security Services Application Programming Interface)
      A.4.2  SASL (Simple Authentication and Security Layer)
      A.4.3  PAM (Pluggable Authentication Modules)
      A.4.4  Configuring RedHat PAM modules to authenticate with Kerberos 5
   A.5  Other authentication protocols
      A.5.1  PAP (Password Authentication Protocol)
      A.5.2  CHAP (Challenge Handshake Authentication Protocol)
      A.5.3  MS-CHAP (Microsoft CHAP)
      A.5.4  MS-CHAPv2 (Microsoft CHAP versione 2)

    Copyright (C) 2005-2015 by Fulvio Ricciardi