Kerberos Basics

Kerberos is a network authentication protocol and it is built on the assumption that network connections are unreliable. Kerberos uses secret-key cryptography to enable strong authentication by providing user-to-server authentication.

ü  realm establishes an authentication administrative domain. Each realm has its own Kerberos database which contains the users and services for that particular administrative domain.
ü  Principals are the entries in the Kerberos database. Each user, host or service is given a principal.
ü  Tickets are issued by the authentication server. Clients present tickets to the application server to demonstrate the authenticity of their identity. Each ticket has an expiration and a renewal time. The Kerberos server has no control over the issued tickets, so even if we prevent a user from obtaining a ticket, if the user has already a valid ticket, he/she can use this to contact the service (until the ticket expires).
ü  Keytabs stores long-term keys for one or more principals.
A Kerberos server, usually called Key Distribution Center (KDC) resides on one physical host, but logically has multiple components incorporated:
ü  Database - contains the user and service entries (user's principal, maximum validity, maximum renewal time, password expiration, etc.)
ü  Authentication Server (AS) - replies to the authentication requests from the client, when the not yet authenticated user must insert a password. The AS sends a Ticket Granting Ticket (TGT) back which can be used further on by the user, without re-entering their password.
ü  Ticket Granting Server(TGS) - distributes service tickets based on the TGT
To access a service using Kerberos a client must do the following:
1.       Authenticate to the Kerberos Authentication Server and receive a Ticket Granting Ticket (TGT)
2.       Request a service ticket from the Ticket Granting Server
3.       Use the service ticket to authenticate to the server that is providing the service the client wants to use (in our case: HDFS, MapReduce, HBase, etc.)
The following picture shows the steps mentioned above.

1 comment:

Note: Only a member of this blog may post a comment.