ZeroShell    Forum
   Feed RSS Feed
EnglishEnglish     ItalianoItaliano     French     Spanish                Zeroshell on LinkedIn LinkedIn       Facebook      Twitter ZeroTruth an interface for Captive Portal

      What is it?
      Mailing List
      On-line Updates
      Kerberos Tutorial  
      Terms of use
      Contact me

  In greater details:
      Hotspot Router
      RADIUS Accounting
      Shibboleth SP
      Net Balancer
      UMTS Router
      Soekris Net5501
      Proxy with Antivirus
      WiFi Access Point
      OpenVPN Client
      OpenVPN Server
      Kerberos 5
      NIS and LDAP
      X.509 Certificates

Valid HTML 4.01 Transitional

Kerberos Authentication Protocol

Kerberos   Introduction   Aims   Definitions   Operation   Tickets   Cross Authentication

1.2  Aims

Before describing the elements that make up the Kerberos authentication system and looking at its operation, some of the aims the protocol wishes to achieve are listed below:
  • The user's password must never travel over the network;
  • The user's password must never be stored in any form on the client machine: it must be immediately discarded after being used;
  • The user's password should never be stored in an unencrypted form even in the authentication server database;
  • The user is asked to enter a password only once per work session. Therefore users can transparently access all the services they are authorized for without having to re-enter the password during this session. This characteristic is known as Single Sign-On;
  • Authentication information management is centralized and resides on the authentication server. The application servers must not contain the authentication information for their users. This is essential for obtaining the following results:
    1. The administrator can disable the account of any user by acting in a single location without having to act on the several application servers providing the various services;
    2. When a user changes its password, it is changed for all services at the same time;
    3. There is no redundancy of authentication information which would otherwise have to be safeguarded in various places;
  • Not only do the users have to demonstrate that they are who they say, but, when requested, the application servers must prove their authenticity to the client as well. This characteristic is known as Mutual authentication;
  • Following the completion of authentication and authorization, the client and server must be able to establish an encrypted connection, if required. For this purpose, Kerberos provides support for the generation and exchange of an encryption key to be used to encrypt data.

    Copyright (C) 2005-2016 by Fulvio Ricciardi