Kerberos and Authentication Management Software
To provide the best-available protection for your account information and data, Carnegie Mellon uses Kerberos authentication management software. The Kerberos authentication management software is implemented in conjunction with applications that use Kerberos for authentication (e.g., Oracle Calendar) to ensure that your password is protected. These authenticated applications also use encryption to protect your e-mail and files from being read by people who intercept your traffic.
While your password identifies you to a server, most applications do not use Kerberos to manage the authentication process. This results in your password being sent over the network in the clear. Furthermore, most applications also transmit your data (e-mail, files, etc.) in the clear as well. This leaves your account open to being eavesdropped by users who know how to "snoop" network traffic.
What is Kerberos?
Kerberos is an authentication service developed at MIT for open network computing environments. When you log in through authentication management software (e.g., Kerberos for Windows or Mac), the application uses your user ID and password to create a ticket that is then matched against a private ticket on the server to which you are authenticating. Your user ID and password are secure since they are never sent over the network.
Kerberos "tickets" are encrypted protocol messages used to identify you to kerberized network utilities. Once you have logged in, Kerberos grants you these tickets so that you do not need to login again every time you communicate with the server. Kerberos uses two types of tickets in its process of authentication: TGTs (Ticket Granting Tickets) and Service Tickets.
How Authentication Management Software Works With Kerberos
Kerberos for Windows or Mac works as a "ticket agent" between the applications that use Kerberos for authentication and the servers that they access.
Once you login through these software packages, Kerberos is given an initial TGT (Ticket Granting Ticket). When you start an application such as Oracle Calendar, it uses the TGT to retrieve service tickets that are then used by the application. This is why you don't need to login every time you start an application that uses Kerberos.
If you start an application that uses Kerberos authentication but you have NOT already logged in through Kerberos for Windows or Mac (or if your tickets have expired), the Leash/Kerberos login dialog box is displayed. Simply enter your userID and password to authenticate.
Using Authentication Management Software Correctly
When used properly, Kerberos provides the best-possible security for your Andrew password and data. However, if you use them improperly, other users may gain access to your account, e-mail and files!
When an application does not use Kerberos for authentication, the software asks you for your userID and password every time you start the application. Likewise, when you exit the application, you are no longer authenticated. At this point, if another user starts the application, they can login with their userID and password and access their data, not yours.
With Kerberos for Windows or Mac, you could potentially login once in the morning and not have to login again all day regardless of how many times you exited and restarted the applications that use this authentication management software. However, if you exit an application (e.g., Oracle Calendar) and another user starts the application, they will not be asked for their userID and password. Instead, Kerberos will use your tickets to authenticate to the server, and that user will have access to your data!
To avoid the risk of someone gaining access to your account and private data, consider the following guidelines when using Kerberos-enabled applications (e.g., Oracle Calendar):
- If you need to leave the machine unattended for any period of time during which someone else could gain access to the machine, you should logoff (or destroy tickets) through Kerberos for Windows or Mac to prevent others from gaining access to your password and your data.
- If you are going to allow someone else to use your machine temporarily to run a Kerberos-enabled application, you must logoff through Kerberos for Windows or Mac. If you do not, the Kerberos-enabled application will use your Kerberos logon when the application is started.
Last Updated: 06/02/06