Why <em> Kerberos</em> is needed.

Previous: Useful Lockers Up: Useful Lockers

Why Kerberos is needed.

Kerberos has two purposes: security and authentication. On most computer systems, a password is used to prove a user's identity; on a distributed network system, like Athena, this password must be transmitted over the network, from the workstation being used, to any other machines containing files or programs the user wants access to. Because this password is the one secret piece of information that identifies a user, anyone knowing a user's password can effectively be that user on Athena, reading their files, sending mail as that user, etc. Please note that THE ELECTRONIC COMMUNICATION PRIVACY ACT of 198 does make this a Federal crime punishable by all kinds of nasty stuff you don't want to be punished by. No kidding.

Obviously, it is therefore necessary to prevent anyone from intercepting or eavesdropping on the transmitted password. In addition, it is necessary to provide a means of authenticating users: any time a user requests a service, such as mail, they must prove their identity. This is done with Kerberos, and this is why you get your mail and no one else's.

A Few Handy Definitions We have now used two pieces of jargon in one paragraph, and at this point you will probably want to learn the meanings of a few terms that will be used in this section.

user: A person using a computer system. A user, through her workstation, may make a series of requests to several servers. This user, we assume, would like to avoid retyping her password every time she makes such a request.

service: Very simply, a service is a program or set of programs, running on a computer which is accessible over the network. A user will request a service for the workstation which she is using; the service will want to be sure that the service is really being used by that user.

principal: A principal is some entity which can prove its own identity and verify the identity of other principals. Each user and each service registered with Kerberos is a principal, since Kerberos provides the authentication services required.

ticket: Once a user has proved her identity to Kerberos with her password, Kerberos sends a block of encoded data, called a ticket, to the user. It is this ticket that is used to prove a user's identity to a service. Tickets are stored in the /tmp/ directory and are erased upon logout. (You will get a message in your console window that says Tickets destroyed.) Tickets will expire after 10 hours.

authenticator: When a user tries to use a service, her workstation sends an block of data called an authenticator, built from the Kerberos ticket and containing a timestamp and the name of the workstation, to that service. The service decodes it, verifies that the user is who she says she is, and then lets that user, at that workstation, use the service.

This is the basics of how Kerberos works -- for the most part, you'll see none of it, which is a nice feature. For a longer and more technical explantion, you can look in: /mit/kerberos/doc/techplan

Once registered with Kerberos, tickets are obtained by the login program every time you log into a workstation. You can also manually obtain new tickets (which you usually do only if your old ones have expired, 10 hours after you log in) by running the program renew. You can also use kinit, which prompts for a username, requests an initial ticket from Kerberos, and then asks for your password. If you are not registered with Kerberos, it will print Principal unknown (Kerberos). Unless you mistype your username, this should not happen. To correct this, or any other errors, contact a Consultant or the Athena Accounts Administrator.