What Is Kerberos, and How Does It Work?

Kerberos is basically a “trusted third party” that two different entities can use to validate the identity of the other with.

Kerberos KDCs

A kerberos Key Distribution Center (KDC) is the kerberos server that has a copy of a secret cryptographic key that is used to encrypt information about entities called “principles”. MCECS currently has at least two KDCs that share the same information, arya.cat.pdx.edu and tyrion.cat.pdx.edu.

Kerberos Principals

A Kerberos principal is the equivalent of what would be a “user” in other systems. Principals can represent more than just human users though, so a more general term was chosen. Every MCECS user has a kerberos principal that looks like username@CECS.PDX.EDU. Where username is their user name and the rest is the same for all accounts.

The CECS.PDX.EDU part of the user’s Kerberos principal is the Kerberos “realm” for MCECS. This is basically the namespace under which all MCECS kerberos principals live, and makes them uniquely identifiable (so that systems that need to interact with multiple Kerberos environments can tell them apart).

Kerberos principles are more than just a name, they have one or more cryptographic keys associated with them. These keys can be optionally protected/encrypted with a password, and most user principals are. Being able to decrypt these keys with their password is how kerberos is able to authenticate that a user is who they claim to be.

Computers can also have principles associated with them. Every computer that uses Kerberos for authentication will have an associated principle that looks like host/hostname@CECS.PDX.EDU. These host principles aren’t encrypted/protected with a password and are stored in files called “keytabs”.

Kerberos Tickets

If a user knows their password, they can talk to the Kerberos KDC and verify they are who they say they are and obtain something called a Kerberos “ticket granting ticket” this “ticket” is effectively a login session to Kerberos that will eventually expire. Sort of like a key that’s only valid for a limited time. Kerberos tickets are usually stored in files in /tmp that looks something like /tmp/krb5cc_9999_prBsnY where 9999 is your Linux UID number. If set, the environment variable KRB5CCNAME can point to another file that your kerberos ticket might live in.

How Long do Kerberos Tickets Last?

Kerberos tickets in the MCECS environment automatically expire after 24 hours, and can be renewed for up to a 7 days after then were initially issued. Renewing requires talking to the KDC and updating the ticket, but doesn’t require you to re-enter your password. After the the “hard” expiration time, you’ll need to request a new ticket and supply your password again.

Kerberos Authentication

Kerberos can be used to authenticate that a user is really who they claim to be, verifying they have a valid Kerberos ticket for their user principal. At the same time the user is able to validate that the computer is really what it claims to be by verifying that it has a valid keytab.

When physically logging into a workstation machine, or when SSHing in using a password, the authentication system tries to obtain a Kerberos ticket for you from the KDC using the password you supply. If the authentication system is able to obtain a ticket for you are allowed to use the machine, you are granted a session.

If you already have a kerberos ticket, some services like SSH can use your kerberos ticket to authenticate directly using something called GSS. This means you don’t have to enter your password again.

Kerberos And NFS

Your kerberos ticket can be used to verify you are really you when talking to an NFS server, and  kerberos can even be used to encrypt all NFS traffic between the NFS server and the client machine. All of our workstation computers use Kerberos for validation and/or encryption like this, so if you don’t have a valid Kerberos ticket you won’t be able to access your NFS home directory or other NFS resources like stashes.