| 1 | Stolen from /mit/ghudson/info/athena |
| 2 | |
| 3 | |
| 4 | Many Athena services use a security system called Kerberos. Kerberos |
| 5 | can be thought of as a service for negotiating shared secrets between |
| 6 | unfamiliar parties. |
| 7 | |
| 8 | A central server called a KDC (Key Distribution Center) has a |
| 9 | pre-shared secret with each user and with each service. The secrets |
| 10 | shared with users are conventionally called "passwords"; the secrets |
| 11 | shared with services are conventionally called "keytabs" (or |
| 12 | "srvtabs", in older jargon). Together, users and services are called |
| 13 | "principals". |
| 14 | |
| 15 | When one principal requests to negotiate a shared key with another |
| 16 | principal, the KDC makes up a random new key (called a "session key"), |
| 17 | encrypts it once in each principal's key (along with a bunch of other |
| 18 | information), and sends both pieces of ciphertext back to the first |
| 19 | principal, which will in turn send the appropriate part to the second |
| 20 | principal when it is ready to talk. Since both principals can get at |
| 21 | the session key by decrypting their bit of ciphertext, they now have a |
| 22 | shared secret which they can use to communicate securely. Kerberos |
| 23 | clients record these bits of information in "credential caches" (or |
| 24 | "ticket files" in older jargon; neither term is particularly correct |
| 25 | since the file is not strictly a cache and stores more than just |
| 26 | tickets). |
| 27 | |
| 28 | There are two versions of the Kerberos protocol in use on Athena, 4 |
| 29 | and 5. The Kerberos 5 protocol supports more features and different |
| 30 | types of cryptographic algorithms, but is also a great deal more |
| 31 | complicated. |
| 32 | |
| 33 | See http://web.mit.edu/kerberos/www for more complete and precise |
| 34 | information about Kerberos. Athena services which use Kerberos |
| 35 | include AFS, discuss, zephyr, olc, moira, and remote login and FTP |
| 36 | (when both parties support it). |