Kerberos

Also spelled Cerberus - The watchdog of Hades, whose duty was to guard the entrance (against whom or what does not clearly appear); it is known to have had three heads.

-Ambrose Bierce, The Enlarged Devil’s Dictionary

The following is simply a shortened description on how kerberos works. For more details, the redbook Inside the RS/6000 SP, SG24-5145, covers the subject in much more detail.

When dealing with authentication and Kerberos, three entities are involved: the client, who is requesting service from a server; the second entity, and the Key Distribution Center or Kerberos server, which is a machine that manages the database, where all the authentication data is kept and maintained.

Kerberos is a third-party system used to authenticate users or services that are known to Kerberos as principals. The very first action to take regarding Kerberos and principals is to register the latter to the former. When this is done, Kerberos asks for a principal’s password, which is converted to a principal (user or service) 56-bit key using the DES (Data Encryption Standard) algorithm. This key is stored in the Kerberos server database.

When a client needs the services of a server, the client must prove its identity to the server so that the server knows to whom it is talking.

Tickets are the means the Kerberos server gives to clients to authenticate themselves to the service providers and get work done on their behalf on the services servers. Tickets have a finite life, known as the ticket life span.

In Kerberos terms, to make a Kerberos authenticated service provider work on behalf of a client is a three-step process:

Get a ticket-granting ticket.

Get a service ticket.

Get the work done on the service provider.

The main role of the ticket-granting ticket service is to avoid unnecessary password traffic over the network; so, the user should issue his password only once per session. What this ticket-granting ticket service does is to give the client systems a ticket that has a certain time span, whose purpose is to

188 IBM Certification Study Guide AIX HACMP

Page 206
Image 206
IBM SG24-5131-00 manual Ambrose Bierce, The Enlarged Devil’s Dictionary