Installing, Configuring and Administering the Kerberos Server V 2.0 on HP-UX 11i

Overview
Authentication Process
Chapter 1 29
Step 3. If the AS can decrypt the message successfully, it knows that the
requesting user is who they claim to be, and issues a TGT. The TGT
contains the name of the user, a session key to be used by the user and
the Server for any subsequent communication. The reply message is
encrypted using the user’s secret key.
Step 4. The KDC decrypts the message using the user’s secret key. If the
application can successfully decrypt the message, the user is allowed to
use the application. The TGT and the session key from the message are
stashed in the user’s credential cache.
This protocol exchange has three important features namely:
the authentication scheme does not require that the password be
sent across the network, either in encrypted form or in clear text
tickets are not returned unless the principal name and password are
correct
the client, or anyone else cannot look at or modify the contents of the
TGT
At the end of this initial exchange with the AS, the user’s credential
cache holds the user principal’s TGT and the associated session key.
These are used to obtain tickets for each network service the principal
wants to access.
To obtain access to a secured network service, the requesting client
application uses the previously obtained TGT in a dialog with the Server.
The protocol is the same as used while obtaining the TGT, except the
messages contain the name of the server, the message type and an
encrypted copy of the previously obtained TGT.
Step 5. The user runs a secured application, such as rlogin, rsh, rcp, ftp or telnet
Step 6. The secured application checks for the required service ticket in the
user’s credential cache. If it is there, skip to Step 10.
If the user does not have the required service ticket, the secured
application reads the user principal’s TGT and session key from the
user’s private credentials cache
Step 7. The secured applications sends its request for a specific service ticket to
the ticket-granting-service (TGS), along with the user principal’s TGT
and an authenticator. An authenticator is known data, such as
timestamp and user name, encrypted with the session key