Photo by pina messina on Unsplash

Photo by pina messina on Unsplash

Pre-authentication for Kerberos services


Article from ADMIN 74/2023
The Kerberos protocol makes the process of logging in to a service completely transparent to the user. The MIT Kerberos library lets you implement different security requirements for individual services.

When a user is validated by the Kerberos authentication protocol through a key distribution center (KDC), the user is given a ticket granting ticket (TGT) at the end of the process that then enables transparent login to more Kerberos services. Before this can happen, however, the user must initially prove their identity to the KDC. This process is also known as pre-authentication and provides protection against attackers who send an arbitrary request to the server and then go on to use a dictionary or brute-force attack to try to guess the user password.

This attack would be possible without pre-authentication because, in such a case, the KDC would simply send data to the client encoded with a key derived from the user password. Attackers would then have plenty of time to carry out an offline attack, ultimately to extract the user password.

Password First

To prevent such an attack, all current Kerberos implementations require pre-authentication. When a client initiates a login to a KDC, the connection is first interrupted, and the server asks the client to authenticate. In the simplest case, the user simply has to enter their password; then, a key (long-term key) is derived from the password used to encode a timestamp. The timestamp is then transmitted to the KDC to authenticate the user. If this works, the user is also given a TGT. This method is described in the initial Kerberos RFC [1], as well, which means that it is supported by all Kerberos implementations (Listing 1).

Listing 1


### A trace from kinit shows the selected pre-authentication method.
# KRB5_TRACE=/dev/stdout kinit tscherf
[20981] 1655644410.292205:
Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Password management with FreeIPA
    Passwords should be safe, but easy to remember – a contradiction that can be difficult to resolve. One remedy is a password manager that stores all passwords centrally. The open source tip this month shows a different approach: FreeIPA.
  • A REST interface for FreeIPA
    Access to the FreeIPA identity management framework is usually handled via a graphical web interface or a command-line tool, but the framework can also be queried directly via the JSON-RPC API.
  • Protect privileged accounts in AD
    Granular protection for highly privileged accounts is granted by the Protected Users group in Active Directory and Kerberos authentication policies.
  • Integrating FreeIPA with Active Directory
    Many companies use Active Directory for centrally managing existing systems, but if you mix in Linux systems, you have to take care of a few things, such as different forms of integration. We show you how to connect the FreeIPA identity management framework as an interface to an Active Directory domain.
  • Migration from LDAP to FreeIPA
    The change from centralized user authentication on a vanilla LDAP server to the FreeIPA identity management solution is easier than many admins think. Given attention to a few points, the migration takes very little time and effort.
comments powered by Disqus
Subscribe to our ADMIN Newsletters
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs

Support Our Work

ADMIN content is made possible with support from readers like you. Please consider contributing when you've found an article to be beneficial.