Kerberos
Kerberos is a protocol for authenticating users and services on a network using secret-key cryptography. This page will mostly describe the MIT implementation, though others are available. It is named after the Greek mythological figure Cerberus, the three-headed hound of Hades, that guarded the gates of the Underworld.
Concepts
- Realms are sets of managed nodes that share the same Kerberos database. They're identified by a realm name, which is typically the domain name in uppercase.
- Principals are unique identities within a realm. It's typically a user or service account, and is identified by a principal name and realm name.
- Services are network services that authenticate principals within a realm.
- Key Distribution Centres:
- Authentication Server (AS) is the first point of contact for a client. It issues a ticket-granting ticket (TGT) to the client.
- Ticket Granting Server (TGS) issues service tickets to clients.
Transport
Kerberos KDCs listen on either UDP/88 or TCP/88.
Encryption keys
Encryption keys prevent tampering with messages.
- KDC (or krbtgt) key; derived from the KDC principal's password hash.
- User keys, derived from user principals' password hashes.
- Service keys, derived from service principal, such as AD users or AD computers, password hashes.
- Session keys are temporary keys negotiated between the user and the KDC.
- Service session keys are temporary keys negotiated between the user and the service.
Data
Tickets are the primary data structures exchanged during authentication flows:
- Ticket Granting Service (TGS) tickets allow users to authenticate services, and are encrypted with the service's key.
- Ticket Granting Ticket (TGT) tickets are presented to the KDC to request TGSes, and are encrypted with the KDC key.
Additionally, Privilege Attribute Certificates (PACs) are used to store and transmit principal privilege information.
Sequences
sequenceDiagram
title Authentication
participant User
participant Service
box Key Distribution Centre
participant Authentication Server
participant Ticket Granting Server
participant Database
end
User ->>+ Authentication Server: KRB_AS_REQ authentication request
activate User
Note over User,Authentication Server: Principal, service, IP, TGT lifetime
Authentication Server ->>+ Database: Gets principal
Database ->>- Authentication Server: Principal
Authentication Server ->>- User: KRB_AS_REP returns TicketGrantingTicket
Note over User,Authentication Server: Principal, TGS, time, IP, TGT lifetime
User ->>+ Ticket Granting Server: KRB_TGS_REQ
Note over User,Ticket Granting Server: TicketGrantingTicket
Ticket Granting Server ->>- User: KRB_TGS_REP ServiceTicket
User ->>+ Service: KRB_AP_REQ UserAuthenticator and ServiceTicket
Service ->>- User: KRB_AP_REP AuthenticatorMessage
deactivate User
Utilities
kinit [name]
initiates a new session.klist
lists active sessions.kdestroy [name]
destroys an existing session.