For someone looking to gain access to this information, it would not be too difficult to catch the password and username while en route through the network and use it to access the system themselves. Kerberos allow for the password and username to be used without having to send them over the network. In other words, the network can be accessed, but the password and username don’t have to travel through it to make the access possible.
In a kerberized network, the kerberos database contains principles and their keys. When talking about users, the subsequent keys come from the passwords. All of the services that happen on a database are also stored on the kerberos database with their keys.
When the time comes that a user wants to log in to the network, the principle is sent to the key distribution center (KDC). This is sent as a request for the ticket granting ticket (TGT). The request can be sent in two ways. The first is by a login program or by a kinit program.
If the KDC finds the principle in the database, it creates a TGT, encrypts it using the TGT, encrypts it using the user’s individual key and then sends it back to the user.
Once it [TGT] is received by the user, the login program decrypts the encrypted key. This TGT is stored in the credentials cache and expires after a certain amount of time. The time varies, but is typically around eight hours. This adds another level of security because when the TGT expires, access to the network expires as well because a new TGT is needed. So, for eight hours, someone could have access in comparison to a password that offers consistent access until it is changed.
When access to a network service is needed, the TGT sends a request to the ticket granting service. The TGS provides a ticket to the service and then the user can use it for a period of time.
Not Satisfied ? Just search & get the result
Related posts:
