Newbie question about Kerberos

[Mike Friedman]

On Wed, 9 Feb 2005 at 08:41 (-0800), Paul Silverman wrote:

> When the TGS issues a ticket to a user to access an application which
> accepts Kerberos as an authentication protocol, what is precisely the
> process to ensure that the ticket is valid and therefore access can be
> granted ?
>
> Does the Kerberized app forward the ticket to the authentification
> service of the KDC in order to make sure that the ticket is indeed valid
> ?  Or does it check with its own local directory ?

Paul,

The ticket presented to the application contains information encrypted (by
the KDC) in the application's secret key, which should be known only by
the KDC and the application.  If the application can decrypt and read this
information, it knows that the ticket must have been issued by the KDC.
Even the client who is presenting the ticket can't decrypt that portion of
the ticket;  it just passes it along to the application.

Thus, there is no need for the application to have online access to the
KDC when it is validating a ticket.

But I should point out that this doesn't mean the user (client) should be
given access to the application.  Kerberos just authenticates the user -
i.e., vouches for the association between the client that is connecting to
the application and the identifier (principal name) it's using to
authenticate. Once it knows which identifier it is dealing with, the
application must consult its own information (perhaps in a Directory) to
determine the level of access it should grant to the corresponding user.

Mike

------------------------------------------------------------------------------
Mike Friedman                             System and Network Security
mikef at ack.Berkeley.EDU                    2484 Shattuck Avenue
1-510-642-1410                            University of California at Berkeley
http://ack.Berkeley.EDU/~mikef            http://security.berkeley.edu
------------------------------------------------------------------------------