Kerberos authentication system
Metacentrum wiki is deprecated after March 2023
Dear users, due to integration of Metacentrum into https://www.e-infra.cz/en (e-INFRA CZ service), the documentation for users will change format and site. The current wiki pages won't be updated after end of March 2023. They will, however, be kept for a few months for backwards reference. The new documentation resides at https://docs.metacentrum.cz. |
Related topics | |
---|---|
Kerberos on Linux | |
Kerberos on Windows |
|
Kerberos provides sophisticated mechanisms for authentication and security of network communication. System Kerberos is defined by standard IETF RFC 1510 and creates basic authentication element in many commercial and open-source systems.
Description
Kerberos is designed in such a way that ensures strong security together with easy user interface. The way of authentication, i.e. proving of identity is based in system Kerberos on utilization of so-called tickets issued by central authentication server that manages the database of all users. Tickets are analogy to e.g. certificates of public keys that are well known from PKI environment. Contrary to certificates Kerberos tickets and all Kerberos protocols are exclusively based on usage of symmetric cryptography, i.e. password shared between the user and the central authentication server. Kerberos tickets have also shorter time of validity (usually ten hours) and always contain information for which end service their are designated.
Besides support of authentication the mechanism of Kerberos tickets provides also support of so-called single sign-on principle that allows users comfortable usage of resources without needless load by difficult security procedures. The user authenticates himself/herself towards Kerberos server only once and obtains basic ticket (so-called Ticket Granting Ticket (TGT)) that will be used for obtaining of further tickets to access system services requiring authentication. During remote login to other machines the TGT ticket is also transfered and the user has therefore still a possibility how to authenticate himself/herself. However, all operations except the primary authentication are done transparently without any user intervention. Using this approach the user is not hindered in his/her activity.
Availability
System Kerberos is available as module heimdal whose load is also included in module metabase. This module is automatically loaded for an user after login to MetaCentrum machines.
Utilization
The program kinit is intended for obtaining TGT ticket, i.e. execution of the initial authentication. After command execution the user has to entered his/her Kerberos password. Besides this, all MetaCentrum applications that allows authetication by password are configured to verify the password towards Kerberos server. Therefore if users are using e.g. ssh protocol and use Kerberos password for the authentication they do not need to run kint manually again.
Obtained tickets are stored in a file written to a disc so all applications of a specific user can use them. The list of actual tickets on the disc can be printed out using command klist, the printed information contains also information about tickets validity time. After finishing work we recommend to delete from the disc the tickets obtained during your work. Doing so you will eliminate a possibility (although very non-probable) of their misusage. The command kdestroy serves for erasing of tickets and the file where the tickets were saved. If you wish to change your Kerberos password enter My Account - Change password and follow the instruction here.
Kerberos mechanism is supported by a set of applications. Clients as telnet, possibly ssh that support authentication and subsequent encryption of transfering channel can be used for accessing MetaCentrum machines. Ftp, scp, possibly rcp that are parts of standard MetaCentrum software equipment can be used for file transfer. All of these applications also transfer user's tickets that allows comfortable traversing among more machines without necessity to repeatedly enter password.
Licence
Freely available software (BSD licence).
Supported platforms
UNIX systems and Microsoft Windows.