Introduction to Kerberos
Kerberos is a computer-network authentication protocol. It is based on symmetric-key cryptography and mutual authentication between client and server (called Key Distribution Center; KDC) without sending user’s secrets over the network. It is commonly used to authenticate users, computers and services in centralized identity management.
The authentication itself is done by exchanging encrypted messages that contains encrypted tickets and encryption keys required to decrypt the tickets and continue the protocol communication. To decrypt the message, one must posses information (usually a password) that can be used to create the correct encryption key.
A ticket-granting ticket (TGT) is obtained after a successful authentication and stored in user’s credential cache. This ticket can be used to authenticate the user against other services without entering user’s secrets again. Therefore the user has to provide the authentication token only once to obtain the ticket-granting ticket as long as the ticket is valid and not expired. This is referred to as single sign-on (SSO).
See also
Kerberos is a standardized protocol described in RFC4120. Additional, there are many standardized extensions that extends the Kerberos protocol with a new functionality. For example:
FreeIPA and Active Directory requires Kerberos protocol for authentication. It can be optionally used with plain LDAP. SSSD has vast Kerberos support, including:
Automatic ticket renewal
Offline authentication
Smartcard authentication
Two-factor authentication
FAST channel support
.k5login
based access control… and more
The Kerberos is fully integrated into identity management solutions FreeIPA and Active Directory and it is required for authentication. It can be optionally used with plain LDAP. SSSD has vast Kerberos support, including:
Automatic ticket renewal
Smartcard authentication
Two-factor authentication
FAST channel support
.k5login
based access controlOffline authentication and automatic ticket acquirement upon transition to online state
… and more