ZeroShell    Forum
   Feed RSS Feed		 EnglishEnglish     ItalianoItaliano
Google
Web ZeroShell    

    -  What is it?
    -  Screenshots
    -  License
    -  Announcements
    -  Mailing List
    -  Forum
    -  Documentation  
    -  FAQ
    -  Hardware
    -  Download
    -  On-line Updates
    -  Kerberos Tutorial  
    -  Terms of use
    -  Contact me


  In greater details:
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      QoS
      Kerberos 5
      NIS and LDAP
      X.509 Certificates
      RADIUS
      Captive Portal
      VPN
      Firewall


Valid HTML 4.01 Transitional

Kerberos 5 authentication protocol

One of the main problem in a LAN is that of recognizing (authenticating) with certainty, those users wishing to access the services offered: local and remote login sessions on Unix hosts or Windows workstations, access to IMAP or POP3 servers for checking e-mail, are only some examples where the user must be authenticated prior to gaining access. On the other hand, even the servers offering such services must prove their identities to users: indeed, it would be unwelcome if a fake server, entered in a LAN by an intruder, stoles secrets from unaware users believing they had accessed the legitimate service.

To solve such problems, Zeroshell uses the Kerberos 5 mutual authentication protocol (RFC 1510). It is a robust and increasingly widespread protocol, which through the use of tickets and authenticators, is able to provide the user with authenticated access to the services and to guarantee the authenticity of the same.

Thanks to the use of Kerberos 5, Zeroshell can establish trust relationships with other realms (these are what the authentication domains in Kerberos 5 are called) and allow users in a domain to access the resources and services of another domain. In particular, the use of Kerberos 5 by Microsoft as the main authentication system in Active Directory, makes it possible to start trust relationships between the realms managed by Zeroshell and Windows domains (from Windows 2000 upwards): this way one can obtain complete integration between the Unix and Windows environments, since users can access both Unix and Windows services indifferently with a single Kerberos account. This integration between the two platforms is described in the Microsoft documents

Another advantage of using Kerberos 5 is the Single Sign-On (SSO): the user enters the credentials (Username/Password) only once per work session by obtaining a ticket which allows access to the various services in a transparent manner and without having to re-authenticate.

For greater details about kerberos protocol you can read Kerberos Tutorial




    Copyright (C) 2005-2008 by Fulvio Ricciardi