HP Open Source Security for OpenVMS Volume 3: Kerberos > Chapter 1 Introduction to Kerberos

Kerberos Components

  Table of Contents



Figure 1-1 depicts the interrelationship between the various components of Kerberos.

Figure 1-1 Interrelationships Among Kerberos Components

Interrelationships Among Kerberos Components

When a client logs in to the realm, an authentication request is sent to the Kerberos Key Distribution Center (KDC). A Ticket-Granting Ticket (TGT) is returned as the result of authentication. When the client application starts, the TGT is used to request an application ticket. The application ticket is then sent to the application server, which verifies the application ticket with the KDC. Normal communication can then begin.

The Kerberos registry can be manipulated in several ways. It is initially created via the KRB$CONFIGURE command procedure. Other tools used to access the Kerberos information are:

  • kadmin - Used for reading or updating the Kerberos registry.

  • kinit - Creates credentials for a user.

  • klist - Displays the existing credentials for a user.

  • kdestroy - Deletes a user’s credentials.

  • kpasswd - Changes a user’s Kerberos password.

  • kdb5_util - Dumps or loads the Kerberos database for save and restore operations.


Each Kerberos realm will have at least one Kerberos server. This server, the Key Distribution Center, contains the Authentication Service, the Ticket-Granting Service, and the master database for Kerberos. These services are implemented as a single daemon: the KDC (KRB$KRB5KDC).

Authentication Service

The authentication service handles user authentication, or the process of verifying that principals are correctly identified. It consists of the security server (or servers) in the KDC (or KDCs), and security clients.

A security client communicates with a security server to request information and operations. The security server accesses the registry database to perform queries and updates and to validate user logins.

Ticket-Granting Service

Once authenticated, a principal will be granted a TGT and a ticket session key, which gives the principal the right to use the ticket. This combination of the ticket and its associated key is known as your credentials.

A principal’s credentials are stored in a credentials cache, which is often just a file in the principal’s local directory tree.

The Kerberos Database

The Kerberos database contains all of the realm’s Kerberos principals, their passwords, and other administrative information about each principal.

Each KDC contains its own copy of the Kerberos database. The master KDC contains the primary copy of the database, which it propagates at regular intervals to the slave KDCs. All database changes are made on the master KDC. Slave KDCs provide ticket-granting services only, with no database administration. This allows clients to continue to obtain tickets when the master KDC is unavailable.

Kerberos Utility Programs

OpenVMS provides three different versions of each of the Kerberos user interface programs: the original UNIX style, a DCL version, and an X Windows version. The DCL interface for the user utilities (kinit, klist, kdestroy, kpasswd) is invoked by the DCL command:


The DCL interface for the administrative utility (kadmin) is invoked by the DCL command:


Either DCL interface can be modified with an /INTERFACE qualifier to invoke the X Windows version. For example, the command line for the administrative program is as follows:


DCL help is available within each of the DCL interfaces.


The kadmin program allows for the maintenance of Kerberos principals, policies, and service key tables (keytabs).


The kinit program explicitly obtains Kerberos tickets. Similarly, if a user’s Kerberos ticket expires, kinit is used to obtain a new one.


The klist program displays the existing tickets for a principal and various details about those tickets, including expiration time.


The kdestroy program removes all of the tickets for a principal. Because Kerberos tickets can be stolen and because someone who steals a ticket can masquerade as another principal, Kerberos tickets should be destroyed when you are away from your computer.


The kpasswd program changes a Kerberos principal’s password. Passwords should be changed periodically.


The kdb5_util program creates, destroys, dumps, and loads the Kerberos database. It also allows the creation of a key stash file, which allows a KDC to authenticate itself to the database utilities. Unlike the Kerberos utility programs (with the exception of kadmin), access to kdb5_util is generally limited to Kerberos administrators.


The kprop program propagates the master KDC database to slave KDC servers.


The ktutil command invokes a menu from which an administrator can read, write, or edit entries in a Kerberos V5 keytab or V4 srvtab file.