Table of content¶
- 1.1.1 - Realms
- 1.1.2 - Principal
- 1.1.3 - Keys
- 1.1.4 - KDC (Key Distribution Center)
- 1.1.5 - Database
- 1.1.6 - AS (Authentication Server)
- 1.1.7 - TGS (Ticket Granting Server)
- 1.1.8 - Tickets
1.1 - Introduction¶
The Kerberos server is a part of the Apache Directory Server : it uses the LDAP server as a backend, but has its own network layer. which makes it easy to install, compared to other solutions where you have two components : a backend(typically an LDAP server) on one side, and the Kerberos Server on the other.
We also have decent GUI support for editing the configuration in Studio, which allows administrators to tweak their server's functionality in a convenient way.
The Kerberos server of Apache Directory implements RFC 1510 and RFC 4120, the Kerberos V5 Network Authentication Service. The purpose of Kerberos is to verify the identities of principals (users or services) on an unprotected network. While generally thought of as a single-sign-on technology, Kerberos's true strength is in authenticating users without ever sending their passwords over the network. Kerberos is designed for use in open (untrusted) networks and, therefore, operates under the assumption that packets traveling along the network can be read, modified, and inserted at will. This chart provides a good description of the protocol workflow.
Kerberos is named after the three-headed dog that guards the gates to Hades. The three heads are the client, the Kerberos server, and the network service being accessed.
What is it all about ?¶
The idea is to have a server being able to deliver a user some tickets that can be used by services. Those tickets are trusted for a certain period of time. The most important point is that the service does not have to ask any server to validate those tickets : they are trusted because they have been generated by a trusted server.
This is a two round process : 1 - The client requests a Ticket to the Kerberos server 2 - The client submits the ticket to the requested service
The the client is authenticated.
In any case, there is no way to fake an identity or to forge a ticket for accessing a service, nor one can reuse a Ticket that has already been used.
Apache Kerberos Server¶
The Apache Directory Kerberos server uses Apache MINA in networking layer and the Apache Directory as the backend for storing principals and associated keys.
The Kerberos server provides:
- Authentication service
- Ticket-granting service
- Pre-authentication support(PA-ENC-TIMESTAMP)
- support for des-cbc-md5, des3-cbc-sha1-kd, aes128-cts-hmac-sha1-96, aes256-cts-hmac-sha1-96 and rc4-hmac encryption systems
- UDP and TCP transports