Databases Reference
In-Depth Information
Kerberos
, a network authentication protocol, provides a way to identify
users. Any time users request a network service
,
such as a database connection,
they must prove their identity.
Kerberos was originally developed at MIT as a solution to the security issues
of open network computing environments. Kerberos is a trusted third-party
authentication service that verifies users' identities.
Kerberos keeps a database (the Kerberos server) of its clients and their pri-
vate keys. The
private key
is a complex formula-driven value known only to
Kerberos and the client to which it belongs. If the client is a user, the private key is
an encrypted password.
Both network services that require authentication and clients who want to
use these services must register with Kerberos. Because Kerberos knows the pri-
vate keys of all clients, it creates messages that validate the client to the server and
vice versa.
In a nutshell, here is how Kerberos works:
1.
The user obtains credentials that are used to request access to network
services
. These credentials are obtained from the Kerberos server and
are in the form of a Ticket-Granting Ticket (TGT). This TGT authorizes
the Kerberos server to grant the user a service ticket, which authorizes
his access to network services.
2.
The user requests authentication for a specific network service
.The
Kerberos server verifies the user's credentials and sends a service ticket
to him.
3.
The user presents the service ticket to the end server.
If the end server
validates the user, the service is granted.
Figure 2-9 shows an example of requesting a database connection (a network
service) when using Kerberos.
An application user requests a database connection after a TGT has been
obtained:
1.
The application sends a request for a database connection to the
Kerberos server.
2.
The Kerberos server sends back a service ticket.
3.
The application sends the service ticket to the database server.
4.
The database server validates the client and grants the connection.
