Kerberos Version 4

Kerberos is an authentication system that was developed at the Massachusetts Institute of Technology. Kerberos uses DES encryption to authenticate a user when logging in to the system. Authentication is based on the ability of the sending system to use the common key to encrypt the current time, which the receiving system can decrypt and check against its current time. Kerberos Version 4 is supported in the Solaris 2.6 release.

Kerberos works by authenticating the user's login password. A user enters the kinit command, which acquires a ticket that is valid for the time of the session (or eight hours, the default session time) from the Kerberos authentication server. When the user logs out, the ticket can be destroyed (using the kdestroy command).

The Kerberos software is available from MIT project Athena, and is not part of the SunOS 5.x software. SunOS 5.x software provides:

• Commands and APIs used by the client to create, acquire, and verify tickets

• An authentication option to Secure RPC

• A client-side daemon, kerbd(1M)

"Implementation of Kerberos Authentication with NFS" gives an overview of how the Kerberos authentication procedure works.

Solaris provides the ability to connect to the Kerberos functionality. It does not provide the Kerberos package. However, you can ftp Kerberos 4 source from athena-dist.mit.edu using anonymous as a username and your email address as a password. The source is located in the pub/kerberos directory.

Implementation of Kerberos Authentication with NFS

The following process assumes that the Kerberos key distribution center (KDC) is already installed on the network, using publicly available sources from MIT project Athena.

1. The /usr/sbin/kerbd daemon must be running on the NFS client and server.

   This daemon is normally started when needed by inetd. The rpcinfo command can be used to make sure that the kerbd service is registered. kerbd is the user-mode daemon. It interfaces with the kernel RPC and the KDC. It generates and validates authentication tickets.

2. The system administrator sets up the NFS server to use Kerberos authentication.

   The MIT Kerberos software is used to register the principal names in the Kerberos key distribution center (KDC) on the Kerberos server. The following entries are required:

   • root.hostname (required for each NFS client)

   • nfs.hostname (required for each NFS server)

3. The user mounts the shared file system.

   The user on the client must get a ticket for root on the client to mount the shared file system.

4. The user logs in to the Kerberos service, using the kinit command.

   The Kerberos authentication server authenticates the request, and grants a ticket for the ticket-granting service.

5. The user accesses the mounted directory.

   The kerbd daemon automatically secures a ticket on behalf of the client for the NFS server exporting the file system. At this point, there are two valid tickets, the original ticket-granting ticket and one for the server.

6. The user destroys the tickets at the end of the session to prevent them from being compromised.

   The kdestroy command destroys the user's active Kerberos authorization tickets by writing zeros to the file that contains the tickets. You can put the kdestroy command in your .logout file, so that all Kerberos tickets are automatically destroyed when you log out of the system.

7. If tickets have been destroyed before the session has finished, the user must request a new ticket with the kinit command.