|
Previous | Table of Contents | Next |
Two additional options can be set in a clients request of the Key Distribution Center. The RENEWABLE-OK option indicates that the client will accept a renewable ticket if a ticket with the requested life cannot otherwise be provided. If a ticket with the requested life cannot be provided, then the Key Distribution Center can issue a renewable ticket with a renew-till equal to the requested end time. The value of the renew-till field still can be adjusted by site-determined limits or limits imposed by the individual principal or server.
The ENC-TKT-IN-SKEY option is honored only by the Ticket Granting Service. It indicates that the to-be-issued ticket for the end server is to be encrypted in the session key from the additional Ticket Granting Ticket provided with the request.
Every time a new application is started, or a new session is established, the Kerberos-enabled applications communicate with the client to authenticate the user. The following sections describe the interactions between network clients and servers and the messages involved in those exchanges.
This section describes the format and encryption parameters for tickets and authenticators. When a ticket or authenticator is included in a protocol message, it is treated as an opaque object.
Tickets
A ticket is a record that helps a client authenticate to a service. A ticket contains the following information:
Ticket = { tkt-vno[0] INTEGER, realm[1] Realm, sname[2] Principal Name, enc-part[3] EncryptdData } -- Encrypted part of ticket EncryptdData = { flags[0] Ticket Flags, key[1] EncryptionKey, crealm[2] Realm, cname[3] Principal Name, transited[4] Transited Encoding, authtime[5] KerberosTime, starttime[6] KerberosTime OPTIONAL, endtime[7] KerberosTime, renew-till[8] KerberosTime OPTIONAL, caddr[9] HostAddresses OPTIONAL, authorization-data[10] AuthorizationData OPTIONAL } -- encoded Transited field TransitedEncoding = { tr-type[0] INTEGER -- must be registered contents[1] BYTE STRING }
The encoding of EncryptdData is encrypted in the key shared by Kerberos and the end server (the servers secret key). Table 9.2 describes the fields in the ticket.
Field | Description |
---|---|
tkt-vno | Specifies the version number of the ticket. |
realm | Specifies the realm that issued the ticket. Also serves to identify the realm part of the servers principal identifier. Because a Kerberos server can issue tickets only for servers within its realm, the two always are identical. |
sname | Specifies the name part of the servers identity. |
enc-part | Holds the encrypted encoding of the EncryptdData sequence. |
flags | Indicates which of various options were used or requested when the ticket was issued. |
key | Exists in the ticket and the Key Distribution Center response and is used to pass the session key from Kerberos to the application server and the client. |
crealm | Contains the name of the realm in which the client is registered and in which initial authentication took place. |
cname | Contains the name part of the clients principal identifier. |
transited | Lists the names of the Kerberos realms that took part in authenticating the user to whom this ticket was issued. |
authtime | Indicates the time of initial authentication for the named principal. Serves as the time of issue for the original ticket on which this ticket is based. Included in the ticket to provide additional information to the end service. |
starttime | Specifies the time after which the ticket is valid. Combined with endtime, specifies the life of the ticket. If absent from the ticket, its value should be treated as that of the authtime field. |
endtime | Contains the time after which the ticket is no longer honored (its expiration time). Individual services can place their own limits on the life of a ticket and reject tickets that have not yet expired. As such, this is really the upper limit on the expiration time for the ticket. |
renew-till | Indicates the maximum endtime that can be included in a renewal. Present only in tickets that have the RENEWABLE flag set in the flags field. Can be thought of as the absolute expiration time for the ticket, including all renewals. |
caddr | Contains zero or more host addresses, which are the addresses from which the ticket can be used. If no addresses, the ticket can be used from any location. The Key Distribution Centers decision to issue or the end servers decision to accept a zero-address ticket is a policy decision left to the Kerberos and end-service administrators. They can refuse to issue or accept such tickets. |
The ticket includes network addresses to make it harder for an attacker to use stolen credentials. Because the session key is not sent over the network in cleartext, credentials cant be stolen simply by listening to the network. An attacker has to gain access to the session key (perhaps through operating system security breaches or a careless users unattended session) to successfully use stolen tickets. | |
authorization-data | Serves to pass authorization data from the principal on whose behalf a ticket was issued to the application service. Contains the names of service-specific objects and the rights to those objects, specific to the end service. If no authorization data is included, it is left out. |
A principal can use this field to issue a proxy that is valid for a specific purpose. A client who wants to print a file, for example, can obtain a file server proxy to be passed to the print server. By specifying the name of the file in the authorization-data field, the file server knows that the print server can use only the clients rights when accessing the particular file to be printed. | |
The authorization-data field is optional and does not have to be included in a ticket. | |
Previous | Table of Contents | Next |