What is Kerberos?


Kerberos is the main password store used at the University for NetID and central OIT Unix machine authentication. When a user or application authenticates against either CAS, LDAP, RCI or ICI, the password is checked against the password stored in Kerberos.

The systems are:

kerberos.rutgers.edu ASB
kerberos-1.rutgers.edu Hill Center
kerberos-2.rutgers.edu SunGard

Developed by MIT, Kerberos is a system that provides authenticated access for users and services on a network. At Rutgers, your Kerberos identity is centrally  managed through the IdM system and established through your NetID.

With Kerberos, by exchanging time-sensitive tickets, you can make transactions secure without sending passwords in plaintext over the network. For a client program to take advantage of Kerberos, it must be Kerberized, which means that it can obtain tickets from the Kerberos server and negotiate with a Kerberos-aware service. Most programs can be Kerberized, including web browsers, telnet applications, POP email clients, and print utilities. Similarly, services that can be made Kerberos-aware include websites, printers, file servers, and POP mail servers. Though it’s a fairly complex protocol, following are a few basic characteristics:

  • Every user and every service has a password. Only the owner of the password and the Kerberos server know this password. Passwords must remain confidential, as Kerberos provides no inherent protection against those that are stolen.
  • When you use a client program that makes an initial ticket request to the Kerberos server, it will ask you for your Kerberos username and password. The program will then send a ticket request to the Kerberos server. The server will respond by sending you a ticket-granting ticket that it encrypts by plugging your password into an encryption algorithm. Because only you and the Kerberos server know what your password is, only you will be able to decrypt and use the ticket-granting ticket. This ticket-granting ticket normally expires eight hours after it is issued.
  • Once you have a ticket-granting ticket, you may then use Kerberized programs to request services from Kerberos-aware servers. The Kerberized program sends your ticket-granting ticket to a ticket-granting server (usually the Kerberos server itself) with a request to transact with a specific service (e.g., a printer, a POP email server). The server gives you a ticket that lets you conduct a transaction with the service and also ensures that both you and the service are who you say you are.
  • Kerberos gives you the option to encrypt data sent over the network. This means that the entire transaction between you and a Kerberos-aware service will be in unreadable ciphertext rather than plaintext.

For more, consult MIT’s Kerberos page or the newsgroup comp.protocols.kerberos.