Introduction to Kerberos

Kerberos is a computer-network authentication protocol. It is based on symmetric-key cryptography and mutual authentication between client and server (called Key Distribution Center; KDC) without sending user’s secrets over the network. It is commonly used to authenticate users, computers and services in centralized identity management.

The authentication itself is done by exchanging encrypted messages that contains encrypted tickets and encryption keys required to decrypt the tickets and continue the protocol communication. To decrypt the message, one must posses information (usually a password) that can be used to create the correct encryption key.

A ticket-granting ticket (TGT) is obtained after a successful authentication and stored in user’s credential cache. This ticket can be used to authenticate the user against other services without entering user’s secrets again. Therefore the user has to provide the authentication token only once to obtain the ticket-granting ticket as long as the ticket is valid and not expired. This is referred to as single sign-on (SSO).

See also

Kerberos is a standardized protocol described in RFC4120. Additional, there are many standardized extensions that extends the Kerberos protocol with a new functionality. For example:

FreeIPA and Active Directory requires Kerberos protocol for authentication. It can be optionally used with plain LDAP. SSSD has vast Kerberos support, including:

  • Automatic ticket renewal

  • Offline authentication

  • Smartcard authentication

  • Two-factor authentication

  • FAST channel support

  • .k5login based access control

  • … and more

Note

There are two main open-source Kerberos implementations.

The Kerberos is fully integrated into identity management solutions FreeIPA and Active Directory and it is required for authentication. It can be optionally used with plain LDAP. SSSD has vast Kerberos support, including:

  • Automatic ticket renewal

  • Smartcard authentication

  • Two-factor authentication

  • FAST channel support

  • .k5login based access control

  • Offline authentication and automatic ticket acquirement upon transition to online state

  • … and more