Kerberos

Kerberos is a standards based, lightweight, efficient, multi-platform enterprise authentication system based on strong symmetric cryptography.

Kerberos V

Kerberos V is network authentication protocol designed by MIT to provide strong authentication for client/server applications using secret-key (symmetric) cryptography. This is the basis for authentication at Penn State, not LDAP. After a user tries to sign into a service that requires authentication, it is the client that requests authentication from a Kerberos Key Distribution Center (KDC) server. The user's request is returned by Kerberos as encrypted data that only the user can unlock using his or her Access Account or Friends of Penn State account. Passwords are never sent over the network. What is sent instead is a short-lived token called a ticket that is encrypted with the user's password by the KDC. The initial ticket given to the user from a KDC during login is the Ticket-granting-ticket (TGT). A TGT can be used to request additional tickets, called Service Tickets which are then given servers that provide other functionality. After the user provides the correct information (the password) to decrypt the TGT, she or he can access any service that is Kerberized (configured to accept kerberos tickets for authentication). For more on LDAP, please see the section on Authorization.

The Kerberos protocol is also used as the primary authentication system behind other technologies in use at Penn State, including Microsoft Active Directory.

Kerberos was named for the multi-headed dog, sometimes spelled Cerberus (Roman transliteration), known from Greek mythology as the guard to Hades' entrance.

Features

Kerberos V (version 5) supports:

  • Single password for all systems: Users only need to remember one
  • Ticket granting tickets: Users can obtain tickets for multiple services without retyping passwords (thus "Single-Sign-On")
  • Strong encryption to protect both passwords and optionally data
  • Session key management: Applications may use the keys for encryption and integrity checking of data transer
  • Administrative boundary protection: KDC managers don't depend on the security of all systems to safeguard all other systems; system managers do not need to depend on the security of other Kerberized systems
  • Multiple encryption types, automatically negotiated by the client and KDC, including:
    • DES and 3DES
    • RC4
    • AES
  • Much more...

Penn State Kerberos Realms

AIT runs several Kerberos realms in support of the:

  • Penn State Access Accounts (dce.psu.edu)
  • Friends of Penn State accounts (fops.psu.edu)

Update to use Replication

The MIT Kerberos V KDCs used at Penn State were updated to change their method for synchronization. Previously, syncing between the master and its replicas was accomplished by using a process called propagation. This process would make a full copy of the database and send it to each replica from start to finish. This became very time consuming for large databases such as Penn State's. A patch, provided by the University of Michigan, was administered in order to implement immediate Kerberos changes, called replication. This means that any Access Account change (password change, lock, add, etc.) is copied individually, making its effect virtually instantaneous and eliminating any delays caused by the former propagation method for daily operations.

Kerberos Utilities