HP UX Kerberos Data Security Software manual 26

•

Time stamp

•

Nonce

Step

2.

If the AS decrypts the message successfully, it authenticates the

requesting user and issues a TGT. The TGT contains the user name, a

session key for your use, and name of the server to be used for any

subsequent communication. The reply message is encrypted using your

secret key.

NOTE

The AS decrypts the request only when the pre-authentication option is

set in the AS request. If the pre-authentication option is not set, the AS

issues the TGT if the principal is available in the Kerberos database.

Step

3.

The client decrypts the message using your secret key. The TGT and the

session key from the message are stored in the client’s credential cache.

These credentials are used to obtain tickets for each network service the

principal wants to access.

Step

4.

To obtain access to a secured network service such as rlogin, rsh, rcp,

ftp, or telnet, the requesting client application uses the previously

obtained TGT in a dialogue with the TGS to obtain a service ticket. The

protocol is the same as used while obtaining the TGT, except that the

messages contain the name of the server and a copy of the previously

obtained TGT.

Step

5.

The TGS returns a new service ticket that the application client can use

to authenticate to the service. The service ticket is encrypted with the

service key shared between the KDC and the application server.

Step

6.

The application server authenticates the client using the service key

present in the keytab file. It decrypts the service ticket using the service

key and extracts the session key. Using the session key, the server

decrypts the authenticator and verifies the identity of the user. It also

26

Chapter 1