Database Reference
In-Depth Information
Understanding important Kerberos terms
We now have a simplistic view of how the Kerberos protocol works. Next, let's go through
some important terms used in a Kerberos environment.
• Any service that has been configured to use Kerberos authentication is said to be
kerberized
.
•
Realm
: A realm is an authentication administrative domain. It defines the network
environment. You can think of it as a network domain for authentication, for ex-
ample,
MYREALM.COM
.
•
Principal
: A principal is considered to be any entity that has an entry in the KDC
database. A principal can be any user, service, or server in the environment defined
by the realm. The principal is made up of three parts: primary, instance, and realm.
◦
Primary
: For a user who is part of the Kerberos configuration, the user-
name will be the primary of the principal, for example,
ro-
hitm@MYREALM.COM
, where
rohitm
is the user under the realm
MYREALM.COM
.
◦
Instance
: For a user that needs further qualification, an instance can be ap-
plied. For example, if you need to qualify the user as an administrator, you
as the user principal would look like:
rohitm/admin@MYREALM.COM
.
◦
Realm
: For a service running on a host that is part of the Kerberos config-
uration, the principal would be
hdfs/
node1.hcluster.com@MYREALM.COM
. In this case, we are stating
that the principal is the
hdfs
services running on the host
node1.hcluster.com
.
•
Keys
: The KDC is the centralized location for all the keys associated with prin-
cipals on the network. In other words, each principal will have a key in the KDC.
This is a shared secret key, that is, only the principal and the KDC are aware of the
keys. The key is used to encrypt and decrypt tickets for the purpose of authentica-
tion.
•
Keytab
: A keytab is a file that is synonymous to the
/etc/passwd
file that
stores user passwords in a Linux system. It contains a list of keys for a specific ser-
vice. Unlike user principals that use the user's password as the key, a service uses a
key generated and stored in a keytab file for authentication. The key in the keytab
is a shared secret key that also resides in the KDC.