Manualshelf

Configuration Guide for Kerberos Client Products on HP-UX 11.0 | HP-UX 11i v1 | HP-UX 11i v1.6 | HP-UX 11i v2

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
21222324252627282930
Overview
Kerberos Overview
Chapter 1 21
T indicates the Time Stamp and
N indicates naunce
Step 2. The Authentication Service (AS) is a component of the Key Distribution
Center (KDC) that uses the client’s secret key to construct an
authenticator that it sends to the user along with the TGT. These are
referred to as ‘credentials’. The credentials consist of a ticket, called
the ticket granting ticket (TGT), and a randomly generated
temporary encryption key, often called the session key. The session key
is a temporary encryption key used by the server to authenticate the
client. It is encrypted in the server’s key, and is typically valid for a login
session. This session key can also be used to encrypt any data that is
transmitted between the client and server.
Step 3. If the user can successfully decrypt the authenticator, then the user
obtains the session key. The TGT and the session key are stashed in the
user’s credential cache. This is used to obtain tickets for each network
service the principal wants to access.
This protocol exchange has two important features:
the authentication scheme does not require that the password be
sent across the network, either in encrypted form or in clear text
the client, or any other user cannot view or modify the contents ofthe
TGT
Step 4. Steps four and five (4&5) are as follows:
To obtain access to a secured network service such as rlogin, rsh, rcp,
ftp or telnet, the requesting client application uses the previously
obtained TGT in a dialogue with the TGS to obtain a service ticket. The
protocol is the same as used while obtaining the TGT, except that the
messages contain the name of the server and a copy of the previously
obtained TGT.
The TGS now returns a new service ticket that the application client can
use to authenticate the service.
Step 5. This step has been discussed above.
Step 6. The application client will now try to authenticate to the service on the
application server using the service ticket obtained from the TGS.