Home

kerberos

Kerberos is a network authentication protocol designed to provide strong authentication for client/server applications by using secret-key cryptography. It enables nodes to prove their identity and to obtain service tickets to access resources on insecure networks. It was developed at MIT as part of Project Athena and named after the three-headed guardian of the underworld in Greek mythology.

In Kerberos, a trusted entity called the Key Distribution Center, or KDC, issues tickets. When a user

Kerberos version 5 is the current standard, specified in RFC 4120, with extensions in related RFCs. It

Security and operational considerations: Kerberos relies on trusted time synchronization and secure key management. Practically deployed

logs
in,
the
client
sends
credentials
to
the
Authentication
Service
(AS)
portion
of
the
KDC,
which
issues
a
Ticket-Granting
Ticket
(TGT)
after
validating
the
user’s
secret
key.
The
TGT
proves
the
user’s
identity
and
is
used
to
request
service
tickets
from
the
Ticket-Granting
Service
(TGS).
The
client
presents
the
TGT
to
the
TGS
to
obtain
a
service
ticket
for
a
specific
server.
The
service
ticket
is
used
to
authenticate
to
that
server;
tickets
and
session
keys
are
protected
with
keys
shared
between
the
KDC
and
the
service.
Tickets
have
lifetimes
and
the
process
uses
synchronized
time
to
prevent
replay
attacks.
supports
mutual
authentication,
cross-realm
authentication,
and
single
sign-on
across
services
within
a
Kerberos
realm
or
trusted
realms.
It
is
widely
deployed
in
enterprise
environments,
notably
Windows
Active
Directory
and
various
Unix-like
systems
via
implementations
from
MIT,
Heimdal,
and
macOS.
with
keytab
files
for
services
and
strong
password
handling.
Its
security
model
assumes
the
KDC
is
trusted;
compromise
of
the
KDC
undermines
the
entire
realm.
Ticket
lifetimes
and
renewal
policies
balance
usability
and
risk.