ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal


      What is it?
      Screenshots
      License
      Announcements
      Mailing List
      Forum
      Documentation  
      FAQ
      Hardware
      Download
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me


  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Performances
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      QoS
      OpenDNS
      Kerberos 5
      NIS and LDAP
      X.509 Certificates
      RADIUS
      VPN
      Firewall


Valid HTML 4.01 Transitional

The Kerberos protocol and its implementations

Document version:1.0.3    (26 November 2006) Italian version
Author:Fulvio Ricciardi (Fulvio.Ricciardi@le.infn.it)
INFN - the National Institute of Nuclear Physics
Computing and Network Services - LECCE (Italy)
Note:Newer versions of this document will be available at the URL http://www.kerberos.org/software/tutorial.html of the MIT Kerberos Consortium of the Massachusetts Institute of Technology

1 Kerberos Protocol


   1.1  Introduction
   1.2  Aims
   1.3  Definition of components and terms
      1.3.1  Realm
      1.3.2  Principal
      1.3.3  Ticket
      1.3.4  Encryption
            1.3.4.1  Encryption type
            1.3.4.2  Encryption key
            1.3.4.3  Salt
            1.3.4.4  Key Version Number (kvno)
      1.3.5  Key Distribution Center (KDC)
            1.3.5.1  Database
            1.3.5.2  Authentication Server (AS)
            1.3.5.3  Ticket Granting Server (TGS)
      1.3.6  Session Key
      1.3.7  Authenticator
      1.3.8  Replay Cache
      1.3.9  Credential Cache
   1.4  Kerberos Operation
      1.4.1  Authentication Server Request (AS_REQ)
      1.4.2  Authentication Server Reply (AS_REP)
      1.4.3  Ticket Granting Server Request (TGS_REQ)
      1.4.4  Ticket Granting Server Reply (TGS_REP)
      1.4.5  Application Server Request (AP_REQ)
      1.4.6  Application Server Reply (AP_REP)
      1.4.7  Pre-Authentication
   1.5  Tickets in-depth
      1.5.1  Initial tickets
      1.5.2  Renewable tickets
      1.5.3  Forwardable tickets
   1.6  Cross Authentication
      1.6.1  Direct trust relationships
      1.6.2  Transitive trust relationships
      1.6.3  Hierarchical trust relationships
    1.7  Types of attacks on Kerberos
      1.7.1  Dictionary and Brute-Force
      1.7.2  Replay Attack
      1.7.3  DDoS

2  Kerberos Implementations


   2.1  MIT Kerberos 5
   2.2  Heimdal
   2.3  Active Directory
   2.4  AFS Kaserver
   2.5  Shishi
   2.6  Interoperability between implementations
      2.6.1  The 524 service (read as 5 to 4)
      2.6.2  Unix and Windows a common authentication
      2.6.3  Migration of an AFS cell to Kerberos 5
   2.7  A common protocol for changing password
   2.8  KDC in a Master/Slave structure

A  Appendix
   A.1  Configuring the DNS for Kerberos v5
      A.1.1  The TXT DNS record
      A.1.2  The SRV DNS record
   A.2  Authenticate and Authorize
      A.2.1  Kerberos and NIS
      A.2.2  Kerberos and LDAP
   A.3  SSH in Single Sign-On (SSO) configuration
      A.3.1  Compiling openssh with Kerberos 5 support
      A.3.2  Configuring openssh server-side config file (sshd_config)
      A.3.2  Configuring openssh client-side config file (ssh_config)
   A.4  Authentication frames authenticating with Kerberos 5
      A.4.1  GSS-API (Generic Security Services Application Programming Interface)
      A.4.2  SASL (Simple Authentication and Security Layer)
      A.4.3  PAM (Pluggable Authentication Modules)
      A.4.4  Configuring RedHat PAM modules to authenticate with Kerberos 5
   A.5  Other authentication protocols
      A.5.1  PAP (Password Authentication Protocol)
      A.5.2  CHAP (Challenge Handshake Authentication Protocol)
      A.5.3  MS-CHAP (Microsoft CHAP)
      A.5.4  MS-CHAPv2 (Microsoft CHAP versione 2)




    Copyright (C) 2005-2013 by Fulvio Ricciardi