ZeroShell    Forum
   Feed RSS Feed		 EnglishEnglish     ItalianoItaliano
Google
Web ZeroShell    

    -  What is it?
    -  Screenshots
    -  License
    -  Announcements
    -  Mailing List
    -  Forum
    -  Documentation  
    -  FAQ
    -  Hardware
    -  Download
    -  On-line Updates
    -  Kerberos Tutorial  
    -  Terms of use
    -  Contact me


  In greater details:
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      QoS
      Kerberos 5
      NIS and LDAP
      X.509 Certificates
      RADIUS
      Captive Portal
      VPN
      Firewall


Valid HTML 4.01 Transitional

The Kerberos protocol and its implementations

Document version:1.0.3    (26 November 2006) Italian version
Author:Fulvio Ricciardi (Fulvio.Ricciardi@le.infn.it)
INFN - the National Institute of Nuclear Physics
Computing and Network Services - LECCE (Italy)
Note:New versions of this document will be available at the URL http://www.kerberos.org/software/tutorial.html of the MIT Kerberos Consortium of the Massachusetts Institute of Technology

1 Kerberos Protocol


   1.1  Introduction
   1.2  Aims
   1.3  Definition of components and terms
      1.3.1  Realm
      1.3.2  Principal
      1.3.3  Ticket
      1.3.4  Encryption
            1.3.4.1  Encryption type
            1.3.4.2  Encryption key
            1.3.4.3  Salt
            1.3.4.4  Key Version Number (kvno)
      1.3.5  Key Distribution Center (KDC)
            1.3.5.1  Database
            1.3.5.2  Authentication Server (AS)
            1.3.5.3  Ticket Granting Server (TGS)
      1.3.6  Session Key
      1.3.7  Authenticator
      1.3.8  Replay Cache
      1.3.9  Credential Cache
   1.4  Kerberos Operation
      1.4.1  Authentication Server Request (AS_REQ)
      1.4.2  Authentication Server Reply (AS_REP)
      1.4.3  Ticket Granting Server Request (TGS_REQ)
      1.4.4  Ticket Granting Server Replay (TGS_REP)
      1.4.5  Application Server Request (AP_REQ)
      1.4.6  Application Server Replay (AP_REP)
      1.4.7  Pre-Authentication
   1.5  Tickets in-depth
      1.5.1  Initial tickets
      1.5.2  Renewable tickets
      1.5.3  Forwardable tickets
   1.6  Cross Authentication
      1.6.1  Direct trust relationships
      1.6.2  Transitive trust relationships
      1.6.3  Hierarchical trust relationships
    1.7  Types of attacks on Kerberos
      1.7.1  Dictionary and Brute-Force
      1.7.2  Replay Attack
      1.7.3  DDoS

2  Kerberos Implementations


   2.1  MIT Kerberos 5
   2.2  Heimdal
   2.3  Active Directory
   2.4  AFS Kaserver
   2.5  Shishi
   2.6  Interoperability between implementations
      2.6.1  The 524 service (read as 5 to 4)
      2.6.2  Unix and Windows a common authentication
      2.6.3  Migration of an AFS cell to Kerberos 5
   2.7  A common protocol for changing password
   2.8  KDC in a Master/Slave structure

A  Appendix
   A.1  Configuring the DNS for Kerberos v5
      A.1.1  The TXT DNS record
      A.1.2  The SRV DNS record
   A.2  Authenticate and Authorize
      A.2.1  Kerberos and NIS
      A.2.2  Kerberos and LDAP
   A.3  SSH in Single Sign-On (SSO) configuration
      A.3.1  Compiling openssh with Kerberos 5 support
      A.3.2  Configuring openssh server-side config file (sshd_config)
      A.3.2  Configuring openssh client-side config file (ssh_config)
   A.4  Authentication frames authenticating with Kerberos 5
      A.4.1  GSS-API (Generic Security Services Application Programming Interface)
      A.4.2  SASL (Simple Authentication and Security Layer)
      A.4.3  PAM (Pluggable Authentication Modules)
      A.4.4  Configuring RedHat PAM modules to authenticate with Kerberos 5
   A.5  Other authentication protocols
      A.5.1  PAP (Password Authentication Protocol)
      A.5.2  CHAP (Challenge Handshake Authentication Protocol)
      A.5.3  MS-CHAP (Microsoft CHAP)
      A.5.4  MS-CHAPv2 (Microsoft CHAP versione 2)


    Copyright (C) 2005-2008 by Fulvio Ricciardi