Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 658 — #684
i
i
i
i
i
i
i
i
Note
The original Kerberos was designed at the MIT. Besides the
MIT Kerberos, several other implementations of Kerberos exist.
SUSE LINUX ships with a free implementation of Kerberos 5,
the Heimdal Kerberos 5 from KTH. Because the following text
covers features common to all versions, the program itself is re-
ferred to as Kerberos as long as no Heimdal-specific information
is presented.
Note
26.5.1 Kerberos Terminology
The following glossary defines some Kerberos terminology.
credential Users or clients need to present some kind of credentials that
authorize them to request services. Kerberos knows two kinds of cre-
dentials — tickets and authenticators.
ticket A ticket is a per-server credential used by a client to authenticate
at a server from which it is requesting a service. It contains the name
of the server, the client’s name, the client’s Internet address, a time
stamp, a lifetime, and a random session key. All this data is encrypted
using the server’s key.
authenticator Combined with the ticket, an authenticator is used to prove
that the client presenting a ticket is really the one it claims to be. An
authenticator is built of the client’s name, the workstation’s IP ad-
dress, and the current workstation’s time all encrypted with the ses-
sion key only known to the client and the server from which it is re-
questing a service. An authenticator can only be used once, unlike a
ticket. A client can build an authenticator itself.
principal A Kerberos principal is a unique entity (a user or service) to
which it can assign a ticket. A principal consists of the following com-
ponents:
primary — the first part of the principal, which can be the same
as your user name in the case of a user.
instance — some optional information characterizing the pri-
mary. This string is separated from the primary by a /.
658 26.5. Network Authentication — Kerberos