I am dealing with making kerberized connections to databases. I think I understand the basics of kerberization. The user requests the “Authentication Server” part of KDC to get TGT (Ticket Granting ticket) and then when the user needs to access a service which needs the user to authenticate, the user sends the TGT to another part of KDC, which provides the “service ticket” after validating that the user is allowed to access the service. The user then forwards this “Service ticket” to the server and gets the service.
I have also heard of the idoms “kerberos login” and “kerberos password”.
I don’t quite understand what exactly they mean and refer to?
Any pointers please?
Thanks,
You need another term first: the “Kerberos Principal”. You could say it is the “full login name”. If you are using passwords for authentication (and not something safer like smart cards), your “Kerberos Password” is the password used to authenticate your Kerberos Principal.
Both are used to authenthicate the user towards the AS = Authentication Server(the password is never send in the clear, of course!). If the authentication is granted, the user receives an Session Key.
The Session Key then is used to ask for TGTs – you omitted the authentication step in your summary. The Authentication server will never handle anything about TGTs, that’s what the Ticket Granting Service is for. (Even if both are implemented on the same machine, they are still independent services.)
It’s all not that complicated, really; it’s mostly terminology.
For starters, read the Wikipedia article on Kerberos or have a look at some diagrams like this one or this. For reference, you can read
The Kerberos Tutorial. (Also of interest may be
Designing an Authentication System: a Dialogue in Four Scenes which explains the rationale behind Kerberos, and Brian Tung’s “The Moron’s Guide to Kerberos”.)
I hope that answers all – if not, please rephrase / update your question.