Network Security Features of HP-UX 11i v1 and 11i v2
Network Security Features of HP-UX 11i
Page 19
HP Kerberos
The Kerberos protocol provides enterprise-wide strong user authentication by validating user passwords
without transmitting the password over the network in clear text. Kerberos technology is based on the
client-server architecture. It ensures secure communication in a networked environment by leveraging
individual trust relationships. It then brokers this trust across enterprise-wide distributed client-server
networks.
The HP Kerberos product suite includes the following:
• Kerberos Server
• HP implementation of Kerberos v5 client libraries and utilities
• HP implementation of PAM Kerberos
• Kerberized Internet Services
• GSS-API
Figure 4 illustrates the Kerberos authentication sequence. The Key Distribution Center (KDC) has two
components, an Authentication Server (AS) and a Ticket Granting Server (TGS). The application client is
a login process acting on behalf of the user. The application server is a program that can be either a user
or a service.
Figure 4: The Kerberos Protocol
Kerberos works by assigning a unique shared secret key and a token, called a ticket, to each client that
logs on to the network. The ticket is then embedded in messages to identify the sender of the message.
Application
Authentication
Application
Server
KDC Server
Server
Ticket Granting
Service
Client
1
2
3
4
5
6
KDC Client
1. Client requests login-session credentials from AS
2.
AS sends TGT and login-session key
3.
Client submits TGT and authenticator to TGS, requesting
credentials for application server
4.
TGS sends service ticket and session key
5.
Client submits ticket and authenticator requests service
6.
Application server sends authenticator (if mutual
authentication is necessary)