2.4 Kerberos Terminology and Concepts

Now well begin to examine terminology that is specific to the Kerberos authentication system. There are many parts to Kerberos, and each has a name that will be defined here and used throughout the rest of the book. The descriptions that follow suffice for implementing a Kerberos realm, but the details of how these work are covered in the next chapter, where we will examine the protocols in detail.

2.4.1 Realms, Principals, and Instances

Every entity contained within a Kerberos installation, including individual users, computers, and services running on servers, has a principal associated with it. Each principal is associated with a long-term key. This key can be, for example, a password or passphrase. Principals are globally unique names. To accomplish this, the principal is divided into a hierarchical structure. Every principal starts with a username or service name. The username or service name is then followed by an optional instance. The instance is used in two situations: for service principals which well discuss later, and in order to create special principals for administrative use. For example, administrators can have two principals: one for day-to-day usage, and another an admin principal to use only when the administrator needs elevated privileges. The username and optional instance, taken together, form a unique identity within a given realm. Each Kerberos installation defines an administrative realm of control that is distinct from every other Kerberos installation. Kerberos defines this as the realm name. By convention, the Kerberos realm for a given DNS domain is the domain converted to uppercase. So, for example, Wedgie International, which owns the domain name wedgie.org, would create a Kerberos realm for its users named WEDGIE.ORG. While it is the convention to make the realm name equivalent to the DNS domain name, it is not necessary to do so. It certainly makes configuration easier, as well see later on, but it is perfectly legal to have a realm name of, say, MYREALM.BOGUS when your domain name is wedgie.org. Also note that realms are case-sensitive unlike domain names, so the realm MyRealm.BOGUS is different from MYREALM.BOGUS. Now lets examine a Kerberos principal that has been assigned to John Doe, who works in the IT department of Wedgie International: jdoeIT.WEDGIE.ORG This is the simplest form a principal can take, and is a valid principal under both Kerberos 4 and Kerberos 5. This principal represents the username jdoe, with no instance, and a realm of IT.WEDGIE.ORG. 2.4.1.1 Service and host principals Users arent the only ones assigned principals in a Kerberos realm; hosts and servers offering Kerberos services also have principals. Since, in Kerberos, each endpoint of a connection can request mutual [ Team LiB ] [ Team LiB ]

2.5 Putting the Pieces Together