What Is the Kerberos Service?
The Kerberos service is a client-server architecture that provides secure transactions over networks. The
service offers strong user authentication, as well as integrity and privacy. Authentication guarantees
that the identities of both the sender and the recipient of a network
transaction are true. The service can also verify the validity of data being
passed back and forth (integrity) and encrypt the data during transmission
(privacy). Using the Kerberos service, you can log in to other
machines, execute commands, exchange data, and transfer files securely. Additionally, the service provides authorization
services, which allows administrators to restrict access to services and machines. Moreover, as
a Kerberos user, you can regulate other people's access to your account.
The Kerberos service is a single-sign-on system, which means that you only need
to authenticate yourself to the service once per session, and all subsequent transactions
during the session are automatically secured. After the service has authenticated you, you
do not need to authenticate yourself every time you use a Kerberos-based command
such as ftp or rsh, or to access data on an
NFS file system. Thus, you do not have to send your password over
the network, where it can be intercepted, each time you use these services.
The Solaris Kerberos service is based on the Kerberos V5 network authentication protocol
that was developed at the Massachusetts Institute of Technology (MIT). People who have
used Kerberos V5 product should therefore find the Solaris version very familiar. Because
the Kerberos V5 protocol is a de facto industry standard for network security, the Solaris
version promotes interoperability with other systems. In other words, because the Solaris Kerberos
service works with systems that use the Kerberos V5 protocol, the service allows
for secure transactions even over heterogeneous networks. Moreover, the service provides authentication and
security both between domains and within a single domain.
The Kerberos service allows for flexibility in running Solaris applications. You can configure
the service to allow both Kerberos-based and non-Kerberos-based requests for network services such
as the NFS service, telnet, and ftp. As a result, current Solaris applications
still work even if they are running on systems on which the Kerberos
service is not enabled. Of course, you can also configure the Kerberos service
to allow only Kerberos-based network requests.
The Kerberos service provides a security mechanism which allows the use of Kerberos
for authentication, integrity, and privacy when using applications that use the Generic Security
Service Application Programming Interface (GSS-API). However, applications do not have to remain committed to
the Kerberos service if other security mechanisms are developed. Because the service is
designed to integrate modularly into the GSS-API, applications that use the GSS-API can
utilize whichever security mechanism best suits their needs.