Kerberos White Paper
Step 4. To obtain access to a secured network service such as rlogin, rsh, rcp, ftp, or
telnet, the requesting client application uses the previously obtained TGT in a dialogue with the
TGS to obtain a service ticket. The protocol is the same as used while obtaining the TGT, except that
the messages contain the name of the server and a copy of the previously obtained TGT.
Step 5. The TGS returns a new service ticket that the application client can use to authenticate the
service.
Step 6. The application client tries to authenticate to the service on the application server using the
service ticket obtained from the TGS.
The secure application validates the service ticket using the server’s service key present in the key tab
file. Using this service key, the server decrypts the authenticator and verifies the identity of the user. It
also verifies that the user’s service ticket has not expired. If the user does not have a valid service
ticket, then the server will return an appropriate error code to the client.
Step 7. (Optional) At the client’s request, the application server can also return the time stamp the
client sent encrypted in the session key. This ensures a mutual authentication between the client and
the application server.
Kerberos Products on HP-UX
HP-UX supports the following Kerberos products. All HP-UX Kerberos products conform to the IETF
specification for Kerberos Version 5 and are compliant with IETF RFC 1510.
PAM Kerberos
Kerberos Client Software
HP Kerberos Server Version 3.1
Generic Security Service Application Programming Interface (GSS-API)
The Kerberos implementation of PAM is based on RFC 86.0 of the Open Software Foundation. PAM
allows multiple authentication technologies to co-exist on HP-UX.
The PAM framework allows options for account, session, password, and authentication management.
PAM uses the Kerberos protocol for authentication management.
PAM Kerberos (PAM-Kerberos)