zoukankan      html  css  js  c++  java
  • Kerberos

    Basic Concepts in Kerberos

    Kerberos client, Kerberos server, application server

    In Kerberos, all authentication takes place between clients and servers. So in Kerberos terminology, a "Kerberos client" is any entity that gets a service ticket for a Kerberos service. A client is typically a user, but any principal can be a client (unless for some reason the administrator has explicitly forbidden this principal to be a client).

    The term "Kerberos server" generally refers to the Key Distribution Center, or the KDC for short. The KDC implements the Authentication Service (AS) and the Ticket Granting Service (TGS). The KDC has a copy of every password associated with every principal. For this reason, it is absolutely vital that the KDC be as secure as possible.

    Most KDC implementations store the principals in a database, so you may hear the term "Kerberos database" applied to the KDC.

    For reliability purposes, it is possible to have backup KDCs. These are referred to as slave servers. The slaves all synchronize their databases from the master KDC.

    In most Kerberos implementations there is also an administration server which allows remote manipulation of the Kerberos database. This administration server usually runs on the KDC.

    The term "application server" generally refers to Kerberized programs that clients communicate with using Kerberos tickets for authentication. For example, the Kerberos telnet daemon (telnetd) is an example of an application server.

    理解realm

    In theory, the realm name is arbitrary. You can call your realm whatever you want.

    However, in practice a Kerberos realm is named by uppercasing the DNS domain name associated with the hosts in the to-be named realm. In other words, if your hosts are all in the foo.org domain, you might call your Kerberos realm FOO.ORG.

    If you wish to have more than one Kerberos realm associated with the same DNS domain name, the convention is to create realms that are in the same hierarchy of your DNS domain name. For example, if you wish to have two Kerberos realms in the DNS domain foo.org for Human Resources and Sales, you might create the Kerberos realms HR.FOO.ORG and SALES.FOO.ORG.

    The convention to use uppercase for realms names arose out of the desire to easily distinguish between DNS domain names (which are actually case-insensitive) and Kerberos realms. The Kerberos realm name is case sensitive (the realm foo.org is different than the realm FOO.ORG). You are not required to have an uppercase Kerberos realm, but I would strongly advise it.

    It is worth noting that the recent revisions to the Kerberos standard have specified that uppercase realm names are preferred and lowercase realm names have been depreciated.

    Reference

    1. http://technet.microsoft.com/en-us/library/cc780469(v=WS.10).aspx

    2. http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html

  • 相关阅读:
    别再乱升级 MySQL 驱动了。。
    Spring Boot + MyBatis + MySQL 实现读写分离
    多线程环境下,HashMap 为什么会出现死循环?
    亿级流量架构怎么做资源隔离?写得太好了!
    refdeveloptools for developers
    how to setup ppc2003 or smartphone 2003 to connect to internet
    转载:一篇java与C#的对比文章(英文)
    在sqlexpress中添加DB和在sql analyzer中操作DB.
    windows 2003下配置IIS6为iis5方式的隔离模式运行
    开源的pop3和smtp组件(支持中文及SSL)
  • 原文地址:https://www.cnblogs.com/whyandinside/p/2494881.html
Copyright © 2011-2022 走看看