Managing Kerberos and Other Authentication Services in Oracle® Solaris 11.2

Exit Print View

Updated: August 2014

What Is the Kerberos Service?

The Kerberos service is a client-server architecture that provides secure transactions over networks. The service offers strong user authentication, as well as integrity and privacy. Authentication guarantees that the identities of both the sender and the recipient of a network transaction are true. The service can also verify the validity of data being passed back and forth (integrity) and encrypt the data during transmission (privacy). Using the Kerberos service, you can log in to other machines, execute commands, exchange data, and transfer files securely. Additionally, the service provides authorization services, which enables administrators to restrict access to services and machines. Moreover, as a Kerberos user, you can regulate other people's access to your account.

The Kerberos service is a single sign-on system, which means that you only need to authenticate yourself to the service once per session. All subsequent transactions during the session are automatically secured. After the service has authenticated you, you do not need to authenticate yourself every time you use a Kerberos-based command such as ftp or ssh, or a command to access data on an NFS file system. Thus, you do not have to send your password over the network, where it can be intercepted, each time you use these services.

The Kerberos service in Oracle Solaris is based on the Kerberos V5 network authentication protocol that was developed at the Massachusetts Institute of Technology (MIT). If you have used the Kerberos V5 product, you will therefore find the Oracle Solaris version very familiar. Because the Kerberos V5 protocol is a de facto industry standard for network security, the Oracle Solaris version enables secure transactions over heterogeneous networks. Moreover, the service provides authentication and security both between domains and within a single domain.

The Kerberos service provides flexibility in running Oracle Solaris applications. You can configure the service to enable both Kerberos-based and non-Kerberos-based requests for network services such as the NFS service and ftp. As a result, current applications still work even if they are running on systems on which the Kerberos service is not enabled. Of course, you can also configure the Kerberos service to enable only Kerberos-based network requests.

The Kerberos service security mechanism allows the use of Kerberos for authentication, integrity, and privacy when using applications that use the Generic Security Service Application Programming Interface (GSS-API). However, applications do not have to remain committed to the Kerberos service if other security mechanisms are developed. Because the service is designed to integrate modularly into the GSS-API, applications that use the GSS-API can choose the security mechanism that best suits their needs.