(Written in June, 2000)
What Is Kerberos?
This is an introduction to the concepts and conventions used in Kerberos. It is intended to give system administrators and software developers an overview of how Kerberos works. It does not contain step by step, detailed instructions on setting up or using Kerberos.
For more information on Kerberos, see its home page at
and Microsoft’s Windows 2000 Kerberos page at
Kerberos is a software package providing authentication between clients (typically run interactively by people) and servers (such as a telnet or POP mail daemon). It consists of several C libraries, several standard client and server programs, a database, and some configuration files. Programs that are not part of the Kerberos software distribution can be Kerberos-enabled by adding calls to the Kerberos libraries.
Kerberos was developed at MIT as part of Project Athena. It is named after the three-headed dog who guarded the entrance to Hades in Greek mythology (called Cerberus by the Romans). The C API is called the General Security Service (GSSAPI). The current version of Kerberos is v5, though v4 is still in widespread use. v5 and v4 are not directly compatible, but v5 has a v4 compatibility mode. This document discusses only v5, as v4 is being phased out.
What techniques does it use?
Kerberos uses private keys (a.k.a. secret keys) to provide authentication. This is unlike SSH, which uses public-private key pairs. In Kerberos, each client has its own private key (your password) and each server also has its own private key (which is stored in a file called a keytab on that server host). Automated clients (such as cron jobs) also have private keys stored in keytabs. Kerberos private keys are never sent over the network in cleartext (that’s what keeps them private). Kerberos does not depend on IP addresses or DNS names for providing authentication, so if they are spoofed, connections will not succeed.
Kerberos divides the world into administrative realms, with names based on hosts’ DNS domain names but in all capital letters. In each realm is a physically secure host with a database containing the private keys of all clients and servers in that realm. That way, each organization can control its own private keys. The host with this database is a trusted third party. It is running a Kerberos server, and is called the Key Distribution Center, or KDC. The KDC database can be replicated onto other hosts for redundancy. (Kerberos calls this propagation.) The host with the master copy is called the primary KDC, and the hosts with the copies are called secondary KDCs.
A client might actually have several private keys, for authenticating to different services. For example, a person might have one private key for logging in as themself, and another private key for logging in as the superuser (root). To figure out which of a client’s private keys to use when authenticating to a server, each private key is labeled with an principal name, which is their user name with an optional instance name. The default instance for a user is empty and is used for logging in, and the principal name looks like “username@REALMNAME” (similar to an email address). The other principal names look like “username/instancename@REALMNAME”, for example, “djm/root@VA.PUBNIX.COM”. (Although any number of instance names separated by slashes can be used, in practice only one level of instance names is ever used.) The “@REALMNAME” is optional, and defaults to the realm of the local host.
Servers’ private keys are also labeled by principal names, with the same format except the user name is replaced by the service name. They look like “servicename/hostname@REALMNAME”, for example, “imap/jenkins.web.us.uu.net@VA.PUBNIX.COM”. For logins, the service name is “host”.
You can see from the previous example that each Kerberos realm can authenticate for servers in multiple DNS domains. But each DNS domain can be served by only one Kerberos realm. However, clients can authenticate to servers in any realm in which they have principals.
Each request for authentication to the Kerberos server sends the client a sesssion key, which the client caches in a credentials cache file locally. The session keys are used to encrypt connections to servers instead of using the client’s private keys. Session keys are valid only for a few hours, to prevent replay attacks.
The authenticated information for a connection between a particular client and server is called a ticket. A client’s tickets are stored in the credentials cache along with the session key. The first ticket which is issued to a client, and can be decrypted using that client’s private key, is called a ticket-granting ticket, or TGT. It is used for authenticating all services, instead of using the client’s private key, to avoid having to type your password every time you check your email or login to another host.
After an authenticated connection to a server is established, whatever protocol that server uses can either pass information in cleartext, or encrypt it in the session key, as desired. For example, Kerberos “rcp” copies files in cleartext unless the “-x” option is given.
How Is It Configured?
Every host using Kerberos needs a copy of the master configuration file, called “krb5.conf” on Unix, and usually located in /etc or /etc/krb5. The main functions of this file are to specify the KDC(s) for each realm, which DNS domains each realm services, and some optional parameters. There is no distributed lookup service (analogous to DNS) for Kerberos realms. You need to create or copy a krb5.conf that contains information about the realms that you want to access servers in.
In addition, the KDC has a “kdc.conf” giving some parameters and file locations, and ACL files for Kerberos administration and database replication.
On Unix, entries in “/etc/inetd.conf” for the standard versions of servers such as “telnetd” and “rshd” are replaced with entries for the Kerberos versions.
Semi-standard locations for the Kerberos programs and libraries on Unix are /usr/krb5 or /usr/local/krb5.
How Is It Administrated?
Kerberos administration consists mostly of creating principals for new clients and servers, deleting principals for retired clients and servers, creating keytabs for servers and automated clients, and changing passwords.
After the initial setup, most Kerberos administration is done with the “kadmin” program, which uses a separate protocol to connect to a Kerberos administration server on the primary KDC for a realm. Administrative connections can not be made to the secondary KDCs. kadmin uses an “admin” instance to authenticate Kerberos system administrators. There is another version of it called “kadmin.local” that runs only on the primary KDC and does not require a password.
Any client can change their own Kerberos passwords using the “kpasswd” program. Note that the kpasswd protocol changed between Kerberos v5 release 1.0 and release 1.1.
How Does It Authenticate?
As mentioned above, Kerberos uses a trusted third party model. Authentication is initiated by a client, which contacts the KDC to get a TGT, which it decrypts using its own private key. The client then uses the TGT to get a ticket for a particular server from the KDC, and then connects to that server. This process is illustrated in the accompanying diagram (click to enlarge).
More concretely, a user runs “kinit”, which prompts for a password, to get a TGT. Alternately, some login programs and graphical telnet clients get a TGT with the password provided, as does the Kerberos “su” program, “ksu”. kinit can get a private key from a keytab instead of prompting for a password, for use with automated clients.
You can list your current credentials (tickets and session keys) using “klist” and remove them (when you log out) using “kdestroy”.
For remote logins, there is an optional file similar to the non-Kerberos “.rhosts” file, called “.k5login”, which a user can create in their home directory. This file lists principals who are allowed to login
as that user from other hosts using Kerberos, or “ksu” to that user on that host.