This protocol allows you to use any Kerberos-enabled program on the Linux OS without keying in passwords every time. Kerberos is also compatible with other major operating systems such as Apple Mac OS, Microsoft Windows, and FreeBSD.
The primary purpose of Kerberos Linux is to provide a means for users to reliably and securely authenticate themselves on programs that they use within the operating system. Of course, those responsible for authorizing users to access those systems or programs within the platform. Kerberos can easily interface with secure accounting systems, ensuring that the protocol efficiently completes the AAA triad by authenticating, authorizing, and accounting systems.”
This article focuses only on Kerberos Linux. And apart from the brief introduction, you will also learn the following;
- Components of the Kerberos protocol
- Concepts of the Kerberos protocol
- Environmental variables that affect the operation and performance of Kerberos-enabled programs
- A list of common Kerberos commands
Components of Kerberos Protocol
While the latest version was developed for Project Athena at MIT (Massachusetts Institute of Technology), the development of this intuitive protocol started in the 1980s and was first published in 1983. It derives its name from Cerberos, Greek mythology, and features 3 components, including;
- A Primary or principal is any unique identifier to which the protocol can assign tickets. A principal can either be an application service or a client/user. So, you will end up with a service principal for application services or a user ID for users. Usernames for the primary for users, while a service’s name is the primary for the service.
- A Kerberos network resource; is a system or application that allows access to the network resource requiring authentication through a Kerberos protocol. These servers can include remote computing, terminal emulation, email, and file and print services.
- A key distribution center or KDC is the protocol’s trusted authentication service, database, and ticket-granting service or TGS. Thus, a KDC has 3 major functions. It prides itself on mutual authentication and allows nodes to prove their identity appropriately to one another. The reliable Kerberos authentication process leverages a conventional shared secret cryptography to guarantee the security of packets of information. This feature makes information unreadable or unchangeable across various networks.
The Core Concepts of Kerberos Protocol
Kerberos provides a platform for servers and clients to develop an encrypted circuit to ensure that all communications within the network remain private. To achieve its objectives, Kerberos developers spelled out certain concepts to guide its use and structure, and they include;
- It should never allow the transmission of passwords over a network as attackers can access, eavesdrop, and intercept user IDs and passwords.
- No storage of passwords in plaintext on client systems or on authenticating servers
- Users should only enter passwords once each session (SSO), and they can accept all programs and systems they are authorized to access.
- A central server stores and maintains all the authentication credentials of each user. This makes protecting user credentials a breeze. While the application servers will not store any user’s authentication credentials, it allows an array of applications. The administrator can revoke any user’s access to any application server without accessing their servers. A user can amend or alter their passwords only once, and they will still be able to access all services or programs they have authority to access.
- Kerberos servers work in limited realms. Domain name systems identify realms, and the principal’s domain is where the Kerberos server operates.
- Both users and application servers have to authenticate themselves whenever prompted.While users should authenticate during sign-in, application services may need to authenticate to the client.
Kerberos Environment Variables
Notably, Kerberos works under certain environment variables, with the variables directly affecting the operation of programs under Kerberos. Important environment variables include KRB5_KTNAME, KRB5CCNAME, KRB5_KDC_PROFILE, KRB5_TRACE, KRB5RCACHETYPE, and KRB5_CONFIG.
The KRB5_CONFIG variable states the location of key tab files. Usually, a key tab file will take the form of TYPE: residual. And where no type exists, residual becomes the pathname of the file. The KRB5CCNAME defines credential caches’ location and exists in the form of TYPE: residual.
The KRB5_CONFIG variable specifies the configuration file’s location, and the KRB5_KDC_PROFILE states the location of the KDC file with additional configuration directives. In contrast, the KRB5RCACHETYPE variable specifies default types of replay caches available for the servers. Finally, the KRB5_TRACE variable provides the filename on which to write the trace output.
A user or a principal will need to disable some of these environment variables for various programs. For instance, setuid or login programs should remain pretty secure when run through untrusted sources; hence the variables do not need to be active.
Common Kerberos Linux Commands
This list consists of some of the most vital Kerberos Linux commands in the product. Of course, we will discuss them at length in other sections of this website.
| Command | Description |
|---|---|
| /usr/bin/kinit | Obtains and caches the initial ticket-granting credentials for principal |
| /usr/bin/klist | Displays existing Kerberos tickets |
| /usr/bin/ftp | File Transfer Protocol command |
| /usr/bin/kdestroy | Kerberos ticket destruction program |
| /usr/bin/kpasswd | Changes passwords |
| /usr/bin/rdist | Distributes remote files |
| /usr/bin/rlogin | A remote login command |
| /usr/bin/ktutil | Manages key tab files |
| /usr/bin/rcp | Copies files remotely |
| /usr/lib/krb5/kprop | A database propagation program |
| /usr/bin/telnet | A telnet program |
| /usr/bin/rsh | A remote shell program |
| /usr/sbin/gsscred | Manages gsscred table entries |
| /usr/sbin/kdb5_ldap_uti | Creates LDAP containers for databases in Kerberos |
| /usr/sbin/kgcmgr | Configures master KDC and slave KDC |
| /usr/sbin/kclient | A client installation script |
Conclusion
Kerberos on Linux is considered the most secure and widely used authentication protocol. It is mature and safe, hence ideal for authenticating users in a Linux environment. Moreover, Kerberos can copy and execute commands without any unexpected errors. It uses a set of strong cryptography to protect sensitive information and data across various unsecured networks.
