For full text search please use the '?' prefix. e.g. ? Onboarding

Kerberos

Kerberos is a protocol for authenticating users and services on a network using secret-key cryptography. This page will mostly describe the MIT implementation, though others are available. It is named after the Greek mythological figure Cerberus, the three-headed hound of Hades, that guarded the gates of the Underworld.

Concepts

  • Realms are sets of managed nodes that share the same Kerberos database. They're identified by a realm name, which is typically the domain name in uppercase.
  • Principals are unique identities within a realm. It's typically a user or service account, and is identified by a principal name and realm name.
  • Services are network services that authenticate principals within a realm.
  • Key Distribution Centres:
    • Authentication Server (AS) is the first point of contact for a client. It issues a ticket-granting ticket (TGT) to the client.
    • Ticket Granting Server (TGS) issues service tickets to clients.

Transport

Kerberos KDCs listen on either UDP/88 or TCP/88.

Encryption keys

Encryption keys prevent tampering with messages.

  • KDC (or krbtgt) key; derived from the KDC principal's password hash.
  • User keys, derived from user principals' password hashes.
  • Service keys, derived from service principal, such as AD users or AD computers, password hashes.
  • Session keys are temporary keys negotiated between the user and the KDC.
  • Service session keys are temporary keys negotiated between the user and the service.

Data

Tickets are the primary data structures exchanged during authentication flows:

  • Ticket Granting Service (TGS) tickets allow users to authenticate services, and are encrypted with the service's key.
  • Ticket Granting Ticket (TGT) tickets are presented to the KDC to request TGSes, and are encrypted with the KDC key.

Additionally, Privilege Attribute Certificates (PACs) are used to store and transmit principal privilege information.

Sequences

sequenceDiagram title Authentication participant User participant Service box Key Distribution Centre participant Authentication Server participant Ticket Granting Server participant Database end User ->>+ Authentication Server: KRB_AS_REQ authentication request activate User Note over User,Authentication Server: Principal, service, IP, TGT lifetime Authentication Server ->>+ Database: Gets principal Database ->>- Authentication Server: Principal Authentication Server ->>- User: KRB_AS_REP returns TicketGrantingTicket Note over User,Authentication Server: Principal, TGS, time, IP, TGT lifetime User ->>+ Ticket Granting Server: KRB_TGS_REQ Note over User,Ticket Granting Server: TicketGrantingTicket Ticket Granting Server ->>- User: KRB_TGS_REP ServiceTicket User ->>+ Service: KRB_AP_REQ UserAuthenticator and ServiceTicket Service ->>- User: KRB_AP_REP AuthenticatorMessage deactivate User

Utilities

  • kinit [name] initiates a new session.
  • klist lists active sessions.
  • kdestroy [name] destroys an existing session.

References