Authentication
|
A process by
which a user or service identifies itself to another service. For example, a
client can authenticate to a switch or a switch can authenticate to another
switch.
|
Authorization
|
A means by
which the switch identifies what privileges the user has in a network or on the
switch and what actions the user can perform.
|
Credential
|
A general term
that refers to authentication tickets, such as TGTs1
and service credentials. Kerberos credentials verify the identity of a user or
service. If a network service decides to trust the Kerberos server that issued
a ticket, it can be used in place of re-entering a username and password.
Credentials have a default life span of eight hours.
|
Instance
|
An
authorization level label for Kerberos principals. Most Kerberos principals are
of the form
user@REALM (for example, smith@EXAMPLE.COM). A Kerberos
principal with a Kerberos instance has the form
user/instance@REALM (for example, smith/admin@EXAMPLE.COM).
The Kerberos instance can be used to specify the authorization level for the
user if authentication is successful. The server of each network service might
implement and enforce the authorization mappings of Kerberos instances but is
not required to do so.
Note
|
The Kerberos
principal and instance names
must
be in all lowercase characters.
|
Note
|
The Kerberos
realm name
must
be in all uppercase characters.
|
|
KDC2
|
Key
distribution center that consists of a Kerberos server and database program
that is running on a network host.
|
Kerberized
|
A term that
describes applications and services that have been modified to support the
Kerberos credential infrastructure.
|
Kerberos realm
|
A domain
consisting of users, hosts, and network services that are registered to a
Kerberos server. The Kerberos server is trusted to verify the identity of a
user or network service to another user or network service.
Note
|
The
Kerberos realm name
must
be in all uppercase characters.
|
|
Kerberos
server
|
A daemon
that is running on a network host. Users and network services register their
identity with the Kerberos server. Network services query the Kerberos server
to authenticate to other network services.
|
KEYTAB3
|
A password
that a network service shares with the KDC. In Kerberos 5 and later Kerberos
versions, the network service authenticates an encrypted service credential by
using the KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5,
KEYTAB is referred to as SRVTAB4.
|
Principal
|
Also known
as a Kerberos identity, this is who you are or what a service is according to
the Kerberos server.
Note
|
The
Kerberos principal name
must
be in all lowercase characters.
|
|
Service
credential
|
A credential
for a network service. When issued from the KDC, this credential is encrypted
with the password shared by the network service and the KDC. The password is
also shared with the user TGT.
|
SRVTAB
|
A password
that a network service shares with the KDC. In Kerberos 5 or later Kerberos
versions, SRVTAB is referred to as KEYTAB.
|
TGT
|
Ticket
granting ticket that is a credential that the KDC issues to authenticated
users. When users receive a TGT, they can authenticate to network services
within the Kerberos realm represented by the KDC.
|