Datasheet
“main” (Installation and Administration) — 2004/6/25 — 13:29 — page 661 — #687
i
i
i
i
i
i
i
i
26
Security in the Network
Mutual Authentication Kerberos authentication can be used in both di-
rections. It is not only a question of the client being the one it claims
to be. The server should also be able to authenticate itself to the client
requesting its service. Therefore, it sends some kind of authenticator
itself. It adds one to the checksum it received in the client’s authenti-
cator and encrypts it with the session key, which is shared between it
and the client. The client takes this response as a proof of the server’s
authenticity and they both start cooperating.
Ticket Granting — Contacting All Servers
Tickets are designed to be used for one server at a time. This implies
that you have to get a new ticket each time you request another
service. Kerberos implements a mechanism to obtain tickets for
individual servers. This service is called the “ticket-granting service”.
The ticket-granting service is a service just like any other service
mentioned before, so uses the same access protocols that have already
been outlined. Any time an application needs a ticket that has not
already been requested, it contacts the ticket-granting server. This
request consists of the following components:
the requested principal
the ticket-granting ticket
an authenticator
Like any other server, the ticket-granting server now checks the
ticket-granting ticket and the authenticator. If they are considered
valid, the ticket-granting server builds a new session key to be used
between the original client and the new server. Then the ticket for the
new server is built, containing the following information:
the client’s principal
the server’s principal
the current time
the client’s IP address
the newly-generated session key
The new ticket is assigned a lifetime, which is the lesser of the re-
maining lifetime of the ticket-granting ticket and the default for the
service. The client receives this ticket and the session key, which
are sent by the ticket-granting service, but this time the answer is
661SUSE LINUX Enterprise Server