Understanding kerberos – Apple Mac OS X Server (Administrator’s Guide) User Manual

Page 198

Advertising
background image

198

Chapter 3

m Telnet server

These services have been “Kerberized.” Only services that have been Kerberized can use
Kerberos to validate a user.

Understanding Kerberos

Like the Password Server, a Kerberos server is dedicated to handling data needed for user
validation. Other user data is maintained in a separate server.

Kerberized services are configured to authenticate principals who are known to a particular
Kerberos realm. You can think of a “realm” as a particular Kerberos database or
authentication domain, which contains validation data for users, services, and sometimes
servers (known as “principals”). For example, a realm contains principals’ private keys, which
are the result of a one-way function applied to passwords. Service principals are generally
based on randomly generated secrets rather than passwords.

Here are examples of realm and principal names; note that realm names are capitalized by
convention to distinguish them from DNS domain names:

m Realm: MYREALM.EXAMPLE.COM

m User principal: [email protected]

m Service principal: afpserver/[email protected]

There are several phases to Kerberos authentication. In the first phase, the client obtains
credentials to be used to request access to Kerberized services. In the second phase, the
client requests authentication for a specific service. In the final phase, the client presents
those credentials to the service.

The following illustration summarizes these activities. Note that the service and the client in
this picture may be the same entity (such as login window) or two different entities (such as
a mail client and the mail server).

1

The client authenticates to a Kerberos Key Distribution Center (KDC), which interacts with
realms to access authentication data. This is the only step in which passwords and associated
password policy information needs to be checked.

2

The KDC issues the client a ticket-granting ticket, the credential needed when the client
wants to use Kerberized services. the ticket-granting ticket is good for a configurable period
of time, but can be revoked before expiration. It is cached on the client until it expires.

Key Distribution

Center (KDC)

Kerberized

service

1

2

3

4

5

6

Client

Advertising
This manual is related to the following products:
See also other documents in the category Apple Software: