mail us  |  mail this page

products  |  company  |  support  |  downloads  |  isp services  |  contact us

Survival Guide - Kerberos

This is a survival guide to Kerberos and specifically Kerberos V (or Kerberos 5). The previous version - Kerberos IV (Kerberos 4) - is significantly different and is not described here.

Contents:

Overview

Kerberos 5 (hereafter called Kerberos only) is a network Authentication and Authorization system defined by RFC 4120 (augmented by RFC 4537 and RFC 5021). In addition Kerberos defines an API (Application Program Interface) which enables Kerberos aware applications to directly invoke the Kerberos service - this interface is called GSSAPI (General Security System Application Program Interface - defined by RFC 4121. GSSAPI is also widely used to support other - non Kerberos - security systems. Kerberos is used widely throughout the LAN and wide-area networking world and perhaps most notably in windows since Windows 2000.

And for the intatiably curious: the name Kerberos is a corruption of Cerberus which was a 3-headed dog in ancient Greek Mythology that guarded the gates of Hades - to stop people leaving when they discovered it was not too much fun after all.

GO UP Image

Kerberos Overview

Kerberos Transaction Overview

Figure 1: Kerberos Transaction Overview

GO UP Image

Kerberos - Transaction Detail

The numbers in the following description relate to Figure 1 above:

  1. When the user performs a logon at a Kerberos Client (1) they will enter a username (called a principal in Kerberos speak) and typically a password (other methods suck as hardwate tokens may also be supported). The Kerberos system initiates a dialog with an Authentication Server (2) which is logically part of the Kerberos Key Distribution Center (5). During this dialog - shown in Figure 2 and described in detail - the users password is never exposed on the network:

    Kerberos Initial Logon Transaction

    Figure 1: Kerberos Initial Logon Transaction

    1. Once upon a time

GO UP Image


Problems, comments, suggestions, corrections (including broken links) or something to add? Please take the time from a busy life to 'mail us' (at top of screen), the webmaster (below) or info-support at zytrax. You will have a warm inner glow for the rest of the day.

Copyright © 1994 - 2009 ZyTrax, Inc.
All rights reserved. Legal and Privacy 		site by zytrax
Hosted by super.net.sg		 web-master at zytrax
Page modified: April 28 2009.

Tech

tech home
audio stuff
web stuff
dom stuff
css stuff
language stuff
regex stuff
rfc stuff
protocol stuff
cable stuff
lan wiring
rs232 wiring
howto stuff
survival stuff
wireless stuff
ascii codes
data rate stuff
telephony stuff
mechanical stuff
pc stuff
electronic stuff
tech links
open guides
RSS Feed Icon RSS Feed

If you are happy it's OK - but your browser is giving a less than optimal experience on our site. You could, at no charge, upgrade to a W3C STANDARDS COMPLIANT browser such as Mozilla

web zytrax.com
add page to facebook add page to technorati.com add page to digg.com add page to del.icio.us add page to furl.net add page to stumbleupon add page to reddit.com mail this page feature print this page

Standards

General

ISO (International)
ANSI (US)
DIN (Germany)
ETSI (EU)
BSI (UK)
AFNOR (France)

Telecom

TIA (US)
EIA (US)
ITU (International)
IEEE (US)
ETSI (EU)
OFTEL (UK)

Internet

IETF
IETF-RFCs
IANA
ICANN
W3C

Electronics

JEDEC
EIA (US)

printer friendly

Print Page

SPF Record Conformant Domain Logo