Kerboros explain

Hi

In the operation of the Kerberos protocol, why Authentication Server , when delivering the TGT, does not directly issued the service ticket? (so I do not see why have complicated the protocol by introducing the TGS)

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication  
> Server , when
> delivering the TGT, does not directly issued the service ticket? (so  
> I do
> not see why have complicated the protocol by introducing the TGS)

If you're going to contact a dozen services during your login session,  
the TGT will let you get service tickets for them without asking for  
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them  
all at once and prompt for the password only once, but that only works  
if you know what all of them are when you log in; for a realm with  
possibly thousands of servers, you can't practically get Kerberos  
style credentials (dependent on shared secrets between the KDC and  
each individual service, hence needing different credentials for each  
service) for all of them at login time just in case you might want to  
talk to them later.  It also doesn't help in the cross-realm  
authentication case, where you need credentials to send to some other  
site's KDC, so it can issue you credentials to talk to one or more  
services at that site; this is also done with a kind of TGT issued by  
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get  
additional tickets as you need them during your session, without  
having to decide up front.

Ken
________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos

Note that you *can* get a service ticket when you authenticate. In fact
this is required by some highly secure service such as kpasswd. But this
is exceptional

-----Original Message-----
From: kerberos-bounces@... [mailto:kerberos-bounces@...] On
Behalf Of Ken Raeburn
Sent: Monday, August 04, 2008 9:20 AM
To: kisito
Cc: kerberos@...
Subject: Re: Kerboros explain

On Aug 2, 2008, at 06:03, kisito wrote:
> In the operation of the Kerberos protocol, why Authentication Server ,

> when delivering the TGT, does not directly issued the service ticket?
> (so I do not see why have complicated the protocol by introducing the
> TGS)

If you're going to contact a dozen services during your login session,
the TGT will let you get service tickets for them without asking for
your password over and over again.

Theoretically (if the protocol were set up for it) you could get them
all at once and prompt for the password only once, but that only works
if you know what all of them are when you log in; for a realm with
possibly thousands of servers, you can't practically get Kerberos style
credentials (dependent on shared secrets between the KDC and each
individual service, hence needing different credentials for each
service) for all of them at login time just in case you might want to
talk to them later.  It also doesn't help in the cross-realm
authentication case, where you need credentials to send to some other
site's KDC, so it can issue you credentials to talk to one or more
services at that site; this is also done with a kind of TGT issued by
your "home" KDC.

The ticket-granting ticket model lets you transparently (we hope!) get
additional tickets as you need them during your session, without having
to decide up front.

Ken
________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos

________________________________________________
Kerberos mailing list           Kerberos@...
https://mailman.mit.edu/mailman/listinfo/kerberos