Manualshelf

Kerberos Server Version 3.12 Administrator's Guide

ManualsBrandsHP ManualsSoftwareHP-UX Kerberos Data Security Software
21222324252627282930
Overview
Authentication Process
Chapter 1 27
Server-indicates the TGS
Time stamp
•Nonce
Step 2. If the AS decrypts the message successfully, it authenticates the
requesting user and issues a TGT. The TGT contains the user name, a
session key for your use, and name of the server to be used for any
subsequent communication. The reply message is encrypted using your
secret key.
Step 3. The client decrypts the message using your secret key. The TGT and the
session key from the message are stored in the client’s credential cache.
These credentials are used to obtain tickets for each network service the
principal wants to access.
The Kerberos protocol exchange has the following important features:
The authentication scheme does not require that the password be
sent across the network, either in encrypted form or in clear text.
The client (or any other user) cannot view or modify the contents of
the TGT.
Step 4. To obtain access to a secured network service such as rlogin, rsh, rcp,
ftp, or telnet, the requesting client application uses the previously
obtained TGT in a dialogue with the TGS to obtain a service ticket. The
protocol is the same as used while obtaining the TGT, except that the
messages contain the name of the server and a copy of the previously
obtained TGT.
Step 5. The TGS returns a new service ticket that the application client can use
to authenticate the service.
Step 6. The application client tried to authenticate to the service using the
service key of the server that is present in the keytab file. Using the
session key, the server decrypts the authenticator and verifies the
identity of the user. It also verifies that the user’s service ticket has not
expired. If the user does not have a valid service ticket, then the server
will return an appropriate error code to the client.
Step 7. (Optional) At the client’s request, the application server can also return
the timestamp sent by the client, encrypted in the session key. This
ensures a mutual authentication between the client and the server.