Executive Summary

This white paper provides a high-level description of the Kerberos protocol. The paper includes detailed information about important concepts and features of Kerberos authentication. The first section provides basic information about Kerberos authentication. Following this introduction to the protocol are several sections with details of how HP has implemented the Kerberos authentication protocol.

HP-UX supports the following Kerberos suite of products on the on the HP-UX 11.0, 11i v1, and 11i

v2 operating systems:

ƒPluggable Authentication Module Kerberos (PAM-Kerberos)

ƒKerberos Client Software

ƒHP Kerberos Server

ƒGeneric Security Service Application Programming Interface (GSS-API)

ƒSecure Internet Services (SIS)

ƒHP-UX Secure Shell (SSH)

The subsequent sections of this document discuss these in detail.

The paper concludes with a brief discussion of Kerberos protocol interoperability with other systems.

Problem Statement

The Internet is a vast place that connects millions of people from all corners of the globe to each other everyday. In such a network, information can be lost, stolen, corrupted, or misused. Another drawback of the internet is that it is difficult for individuals to confirm their identity to one another. Confidentiality is very important for some types of information, such as information related to banking and medical. It is therefore important that a user, who wants to access this kind of information online, be able to confirm that the user is who he/she claims to be. This process is called authentication. Kerberos plays a major role in authentication.

Traditionally, a process was set in place called Authentication by Assertion. Authentication by assertion works as follows:

When a user runs a program that accesses a network service, the program (called the client) asserts to the service that it is running on behalf of the user. This provides a very low level of security.

Consider the example of Berkeley rlogin. If a user rlogins to an account under his own name, but on another machine, and if the user's .rhosts is set correctly, the rlogin program will assert the user's identity to the rlogin daemon on the remote machine, and the daemon does not require a password for login. This can become disastrous if an attacker is somehow able either to convince the rlogin

program that he/she is the legitimate user, or to rewrite a mutant version of rlogin asserting that identity to the remote machine.

An alternative to this situation is to require a user to enter a password each time he/she accesses a network service. This is a very time-consuming process, and it is insecure when users access services on a remote machine. When a user is logged on to a remote machine and then logs in from there to another remote machine, the password travels unencrypted through the network.

Kerberos fixes these problems because it provides single-sign-on, which lets a user log in to a system and access multiple systems or applications without the need to enter the user name and password multiple times. In addition, Kerberos is designed so that entities have to authenticate themselves by