Shulou(Shulou.com)06/01 Report--

Kerberos is a service security management system developed by MIT to verify and authenticate the three parties, which well embodies the idea of separation of powers in the West. The name comes from the Greek mythology Hell's three-headed watchdog, which also passed by in Harry Potter.

Yeah, jump, jump into the pit. As soon as he entered K, the author did not get up early.

The design of the system adopts the "use client / server" structure and DES encryption technology, and can authenticate each other, that is, both the client and the server can authenticate each other. It can be used to prevent eavesdropping, replay attacks, data integrity and other occasions. It is a system that uses symmetric key system to manage keys. Baidu Encyclopedia

Even the most basic user login authentication system consists of three parts, authentication, authorization, and request services. Kerberos is no exception, which is also divided into these three stages.

Kerberos has several key services or functions that we must understand, of which KDC is the core, the full name is Key Distributed Center, we can think of it as a bank database. All the initial verification authorization work is carried out here. Then you can think of ATM providing money as a service (Desired Network Service).

Kerberos has several key services or functions that we must understand, of which KDC is the core, the full name is Key Distributed Center, we can think of it as a bank database. All the initial verification authorization work is carried out here. Then you can think of ATM providing money as a service (Desired Network Service).

The first step is to verify (Authentication), you must prove that you are yourself, which will require you to provide a certification subject, this is the Principal in Kerberos, you can think of it as a bank card, if you do not have Principal, then it is equivalent to you go to the bank to withdraw money without a card. Of course, ATM does not need to withdraw money, so you must make sure that your bank card and password will not fall into the hands of robbers. Obviously, not showing off wealth in moments is something you need to pay attention to, not Kerberos.

Then Principal is equivalent to your bank card. What do you need to do after taking the card? of course, you have to give the password of the bank card, just like in the real world, whether it is you or your relatives, as long as they have your bank card and your password, they can withdraw money from ATM. The same is true of Kerberos. Every Principal has its own password, which is something that the Principal must do when it is created. At the same time, you have to protect your password. However, there is a difference here. The password of Kerberos's Principal is not used for user identification. The password is used to encrypt the transfer ticket, so the password will not be transmitted over the network.

The client, that is, you, gives the bank card and enters the password, and then the client Kerberos will use the password you give to encrypt a piece of data with the DES algorithm, which we call TGT (Ticket-Granting Ticket). This TGT will be sent to KDC's AS service, that is, Authentication Service. Then AS will compare the TGT sent by the client with the data in the local Kerberos user database. If the results are consistent, a verified TGT will be returned to client. If not, the next service will be refused.

Suppose ATM recognizes your identity through the bank's database, then the next step is to see whether you want to withdraw money or transfer money, here we need to separate the authority to withdraw money and transfer money for explanation, while in the real world, ATM can both withdraw money and transfer money.

Next, the client needs to send a second masked TGT to KDC's ticket approval service (Ticket Granting Service) to see if the current bank card has the right to transfer money.

If the bank card has the right to transfer money, TGS will return a new TGT to Client, telling Client that your identity is confirmed correctly, you have the right to transfer money, and you can operate the transfer option (Desired Network Service).

Then Client will take this bill to request a transfer. Of course, the transfer operation will also initiate a request for KDC, similar to Client, so I won't repeat it here.

The general process is like this, but I think a concept worth understanding for people who are new to Kerberos is that Kerberos is not used to protect the server or operating system, that's what SSH does. Kerberos is more used to protect operating system-based application services, such as MySQL,PostgreSQL,Hadoop,HBase service requests. In other words, SSH's job is to ask who you are. And Kerberos's job is to verify what you want to do?

Next, we need to know some key noun definitions in Kerberos to facilitate our understanding.

KDC, we already know, the core service of kerberos.

Principal, the authentication principal, if it's still hard to understand, think of it as your SSH user name.

Keytab, based on the key file generated by Principal, if you don't understand, think of it as the private key of SSH's password-free login.

TGT, encrypted data generated using a password or keytab as a key, is used as a ticket packet to request a KDC service, but does not contain a password or key.

SPNEGO, which is not included in Kerberos's standard service, is a Microsoft extension plug-in that is mainly used to protect Kerberos-based HTTP services, the full name is Simple Protected GSSAPI Negotiation. In other words, Kerberos is used to protect HTTP service requests, such as Rest services.

At the end of the first Kerberos article, let's disassemble a Principal to understand the composition of the bank card.

Xianglei/dmp-master1.hadoop@HADOOP.COM

A complete Principal consists of three parts.

Hostname @ REALM of user name / FQDN (Full Quafilied Domain Name) (protected domain, all uppercase)

Of course, this user name needs to be a user that exists under Linux.

FQDN fully qualified domain name, that is, be sure to bring the form of hostname.domain, of course, if your host does not give a domain, then you do not have to write a domain name. Anyway, you want all the host names plus the domain name (if there is a domain name). But in fact, in Kerberos, this is not called the host name, but is called Instance, the instance name. It may not be the host name of any server, but it is easy to understand and understand. Let's first look at his original host name.

REALM, a domain name protected by Kerberos, is a collection of servers or groups of servers protected by Kerberos, which you can think of as domains in Windows. Since a KDC can protect multiple domains at the same time, for example, you can protect both HADOOP server groups and MYSQL server groups on a single KDC, we usually use domain names to make the distinction.

If you use domain name in your hostname, you must write it completely in the second part of the Principal, otherwise KDC will not be able to verify the validity of the host, and the encrypted tgt must carry the hostname information.

Also, it should be noted that the domain (domain name) in the second part and the realm (domain) in the third part have the same words in Chinese, but the English words are completely different and their meanings are completely different. Since the Realm part of Kerberos is usually written as a domain name, it can be confusing, but in fact, you can understand the realm part as a domain such as workgroup or home in windows. The name can be picked up at will, not necessarily using your real domain name. It's just a code name that distinguishes different sets of services.

The next article is about installation configuration?

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.