Kerberos differs from username/password authentication methods
because instead of authenticating each user to each network
service, it uses symmetric encryption and a trusted third party, a
KDC, to authenticate users to a suite of network services. Once a
user authenticates to the KDC, it sends a ticket specific to that
session back the user's machine and any kerberized services look
for the ticket on the user's machine rather than asking the user to
authenticate using a password.
When a user on a kerberized network logs in to their
workstation, their principal is sent to the KDC in a request for a
TGT from AS. This request can be sent by the login program so that
it is transparent to the user or can be sent by the kinit program after the user logs in.
The KDC checks for the principal in its database. If the
principal is found, the KDC creates a TGT, which is encrypted using
the user's key and returned to that user.
The login or kinit program on the
client machine then decrypts the TGT using the user's key (which it
computes from the user's password). The user's key is used only on
the client machine and is not sent over the
The TGT is set to expire after a certain period of time (usually
ten hours) and stored in the client machine's credentials cache. An
expiration time is set so that a compromised TGT is of use to an
attacker for only a short period of time. Once the TGT is issued,
the user does not have to re-enter their password until the TGT
expires or they logout and login again.
Whenever the user needs access to a network service, the client
software uses the TGT to request a new ticket for that specific
service from the TGS. The service ticket is then used to
authenticate the user to that service transparently.
The Kerberos system can be compromised any time any user on the
network authenticates against a non-kerberized service by sending a
password in plain text. Use of non-kerberized services is
discouraged. Such services include Telnet and FTP. Use of other
encrypted protocols, such as SSH or SSL secured services, however,
is acceptable, though not ideal.
This is only a broad overview of how Kerberos authentication
works. Those seeking a more in-depth look at Kerberos
authentication should refer to Section 19.7 Additional
Kerberos depends on certain network services to work correctly.
First, Kerberos requires approximate clock synchronization between
the machines on the network. Therefore, a clock synchronization
program should be set up for the network, such as ntpd. For more about configuring ntpd, refer to /usr/share/doc/ntp-<version-number>/index.htm for
details on setting up Network Time Protocol servers (replace
<version-number> with the
version number of the ntp package
installed on the system).
Also, since certain aspects of Kerberos rely on the Domain Name
Service (DNS), be sure that the DNS entries and hosts on the
network are all properly configured. Refer to the Kerberos V5 System Administrator's Guide, provided
in PostScript and HTML formats in /usr/share/doc/krb5-server-<version-number> for more
information (replace <version-number> with the version number
of the krb5-server package installed on