Kerberos authenticates user access to a remote system without sending passwords over the network. This form of authentication, which uses strong encryption, prevents intruders from breaking into systems by capturing passwords.
A fully implemented Kerberos system contains a number of components. This section provides a high-level overview of these components and how they interact with one another.
To set up a secure environment using Kerberos, a network administrator first establishes a Kerberos database on a dedicated system. This system is known as the Kerberos ticket server, KDC (Key Distribution Center) or admin server (short for administrative server). The KDC must be secure, and the Kerberos database itself must be inaccessible by NFS or other disk-sharing protocols. The Kerberos database is the cornerstone of the network security. An attacker that manages to access the Kerberos database can access every machine on the network that uses Kerberos for user authentication.
On the KDC, the network administrator sets a master key that is used to access to the Kerberos database itself, and adds database entries for user names and application servers. For each application server, a srvtab file is created and securely moved to the server; this file is used when a user accesses the server and eliminates the need for the server to communicate directly with the KDC whenever a user needs to be authenticated.
On a client system, the user must configure a list of ticket servers for each realm in which they wish to be authenticated. A realm is an administrative space, similar to a DNS domain. Kerberos realms and DNS domains often overlap, and the name of a realm is usually the same as the domain that it applies to, although not always. Realm names are case-sensitive and are almost always uppercase. For example, an application server named apple.yoyodyne.com could be in the realm YOYODYNE.COM. In the realm YOYODYNE.COM, one of the KDCs could be named kerberos.yoyodyne.com. A user usually authenticates in the local realm, but they can use any realm for which a ticket server is listed.
After configuring the client system, the user can get tickets from the KDC. Each ticket lets the user access a particular service or group of services. Initially, the user obtains a ticket-granting ticket, which allows the client system to automatically get server-specific tickets. The user only needs to provide their user name and password to get the ticket-granting ticket. Various client programs like Telnet use the ticket-granting ticket to get server tickets as needed, as long as the ticket-granting ticket has not expired. If the ticket-granting ticket expires, the user may be asked for their user name and password the next time they run an application like Telnet. Kerberos grants ticket-granting tickets to some services automatically, such as Telnet and FTP.
Cisco TCP/IP Suite for Windows does not include a KDC server. Therefore, to establish an account for a user you must follow the instructions for your particular server. If you are using Cisco MultiNet for OpenVMS, consult the Administrators Guide. Adding a new user generally involves editing the Kerberos database to add a new principal name (user), password, and expiration date.
The procedure for establishing a KDC on your system varies from operating system to operating system but is generally as follows:
To start the Kerberos application in Windows 3.x, double- click the Kerberos icon in the Cisco Suite 100 group. To start Kerberos in Windows 95, select the Kerberos icon from the Cisco Suite 100 program group on the Start menu. The first time you invoke Kerberos, the Configure dialog box appears.
This dialog box lets you identify your local realm, maintain a list of Kerberos servers you use, and identify any special realm mappings.
If you have already entered a local realm in the Configure dialog box, the Kerberos dialog box appears.
This dialog box lists any active or recently expired tickets. (Expired tickets appear only if you check the Show Expired Tickets check box.) It also lets you get Kerberos tickets, change your password for the Kerberos server, identify new Kerberos servers, add special realm mappings, and remove all existing tickets.
To identify your local realm and Kerberos ticket server to the Kerberos application:
If the Kerberos dialog box appears, click the Configure... button.
The Configure dialog box appears.
The Add Ticket Server dialog box appears.
The Kerberos application closes the Add Ticket Server dialog box and adds the specified ticket server to the Ticket Servers table.
You can now obtain your Kerberos tickets and start Kerberized sessions.
A host's realm usually is the same as its domain. For example, users expect the host apple.yoyodyne.com to belong to the realm YOYODYNE.COM (its domain name).
Occasionally, however, you may encounter a host that belongs to a realm that is different than its domain. For example, the host apple.yoyodyne.com may belong to the realm TREE.COM. If this occurs, you need to let the Kerberos application know the correct realm.
The following sections explain how to add, modify, or delete special realm mappings for these situations.
To add a special realm mapping:
The Configure Kerberos dialog box appears.
The Add Special Realm Mapping dialog box appears.
To map an entire subdomain to a different realm, enter the subdomain in the Domain field, prefixing the entry with a . (dot), such as .yoyodyne.com. If you specify a subdomain, all hosts in the subdomain use the special realm mapping.
If you click OK, the Kerberos application closes the Add Special Realm Mapping dialog box and adds the entry to the Special Realm Mappings table.
To change a special realm mapping:
The Configure Kerberos dialog box appears.
The Modify Special Realm Mapping dialog box appears.
If you click OK, the Kerberos application closes the Modify Special Realm Mapping dialog box and modifies the entry in the Special Realm Mappings table.
To delete a special realm mapping:
The Configure Kerberos dialog box appears.
A message box appears, asking you to confirm the deletion.
If you click Yes, the Kerberos application removes the selected entry from the Special Realm Mappings table.
HTML file generated May 15, 1996.