ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal

      What is it?
      Mailing List
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me

  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      Kerberos 5
      NIS and LDAP
      X.509 Certificates

Valid HTML 4.01 Transitional

Kerberos 5 authentication protocol

One of the main problem in a LAN is that of recognizing (authenticating) with certainty, those users wishing to access the services offered: local and remote login sessions on Unix hosts or Windows workstations, access to IMAP or POP3 servers for checking e-mail, are only some examples where the user must be authenticated prior to gaining access. On the other hand, even the servers offering such services must prove their identities to users: indeed, it would be unwelcome if a fake server, entered in a LAN by an intruder, stoles secrets from unaware users believing they had accessed the legitimate service.

To solve such problems, Zeroshell uses the Kerberos 5 mutual authentication protocol (RFC 1510). It is a robust and increasingly widespread protocol, which through the use of tickets and authenticators, is able to provide the user with authenticated access to the services and to guarantee the authenticity of the same.

Thanks to the use of Kerberos 5, Zeroshell can establish trust relationships with other realms (these are what the authentication domains in Kerberos 5 are called) and allow users in a domain to access the resources and services of another domain. In particular, the use of Kerberos 5 by Microsoft as the main authentication system in Active Directory, makes it possible to start trust relationships between the realms managed by Zeroshell and Windows domains (from Windows 2000 upwards): this way one can obtain complete integration between the Unix and Windows environments, since users can access both Unix and Windows services indifferently with a single Kerberos account.

Another advantage of using Kerberos 5 is the Single Sign-On (SSO): the user enters the credentials (Username/Password) only once per work session by obtaining a ticket which allows access to the various services in a transparent manner and without having to re-authenticate.

For greater details about kerberos protocol you can read Kerberos Tutorial

    Copyright (C) 2005-2015 by Fulvio Ricciardi