Authentication is the most basic security service in a distributed computing environment.
Authentication techniques require that you prove your identity or a program proves its authentication. This can be done by using any one or more of the following:
Authentication techniques range from quite simple to very complex. The traditional use of passwords is a middle-of-the road example of an authentication method. Other authentication techniques include:
The Berkeley “r” commands are UNIX client and server facilities that perform useful services in a UNIX network. The commands rely on simple authentication techniques, such as secure login, host.equiv files, and .rhost files. Security using r commands is intended for a relatively open and trusting network environment. These r commands include:
To use these commands, a user must have an account on the destination host (the server). To authenticate a user, the host can:
The Kerberos protocol provides network security by regulating user access to networking services.
In a Kerberos environment, at least one system runs the Kerberos Server. This system must be kept secure. The Kerberos Server, referred to as a trusted server, provides authentication services to prove that the requesting user is genuine. Another name for the Kerberos Server is the Key Distribution Center (KDC).
Other servers on the network, and all clients, are assumed by the system administrator to be untrustworthy. For the Kerberos protocol to work, all systems relying on the protocol must trust only the Kerberos server itself.
In addition to providing authentication, Kerberos can supply other security services such as:
Kerberos uses private key encryption based on the Data Encryption Standard (DES). Each client and server has a private DES key. The Kerberos protocol refers to these clients and servers as principals. The client's password maps to the client's private key.
The Kerberos Server maintains a secure database list of the names and private keys of all clients and servers that are allowed to use the Kerberos Server's services. Kerberos assumes that all users (clients and servers) keep their passwords secure.
The Kerberos protocol solves the problem of how a server can be sure of a client’s identity. Kerberos does this by having both the client and server trust a third party, in this case, the Kerberos Server. The Kerberos Server verifies the client's identity.
Some of the terms commonly associated with Kerberos include:
Kerberos refers to clients and servers as principals and assigns each one a name. An example of the general naming format is name.instance@realm
name — For clients, this is the user’s login name; for servers, it is the name of the service provided, usually rcmd
instance — This is usually omitted and unnecessary for clients; for Kerberos administrators, the value is admin; for servers, it identifies the machine name of the application server that has Kerberos authentication support. For example, if the rlogin server on merlin has Kerberos authentication support, the principal would have the following format:
rcmd.merlin@your_realm
realm — is associated with all principals in a Kerberos database and is the name of a group of machines, such as those on a LAN; it identifies the Kerberos domain.
You can omit the instance and realm components from some principals. For example, a possible principal for jones (for user Jones in the local domain) could be jones@daisy.com for user Jones in the daisy.com domain. A possible principal could also be rcmd.merlin (for the rlogin server in the local domain) or rcmd.merlin@daisy.com (for the rlogin server on merlin in the domain daisy.com).
A ticket-granting ticket contains an encrypted form of the user’s Kerberos password. Use it to obtain application service tickets from the Kerberos server. You cannot use Kerberos authentication without first having this ticket-granting ticket.
The ticket-granting ticket has an associated lifetime that the Kerberos server specifies. This lifetime is generally eight hours. You can use the same ticket over and over again, until you no longer need the ticket or it expires.
Kerberos uses service tickets to verify a client’s identity to an application server. The Kerberos server encrypts the service ticket with the application server’s private key. Only that application server can decrypt the service ticket.
The Kerberos protocol uses authenticators to prevent eavesdroppers from stealing a ticket. The client sends a new authenticator with each service request. An authenticator consists of the client’s name and IP address, and a timestamp showing the current time.
The server uses the information in the authenticator to confirm that the rightful owner presents the accompanying ticket. For this to be true, the client and server must synchronize their clocks. One way of doing this is through the Network Time Protocol (NTP).