In the previous blog, We have read about SCRAM Authentication. In Today’s blog, we gonna read about GSSAPI (Kerberos) Authentication. Kerberos is a security protocol that provides an alternate mechanism for client and server authentication.
Introduction to GSSAPI
As its name implies, the GSS-API enables programmers to write generic applications with respect to security. It is widely use by protocol implementers as a means to implement Kerberos 5 support in their applications. Therefore, a program that takes advantage of GSS-API is more portable regarding network security.
Components of Kerberos
- Authentication Server (AS): The AS performs initial authentication when a user wants to access a service.
- Ticket Granting Server (TGS): The Ticket Granting Server issues the ticket for the Server.
- Database: This database stores the IDs and passwords of verified users. The Authentication Server verifies the access rights of users in the database.
GSSAPI Authentication Process
With Kerberos, users never authenticate themselves to the service directly. Instead, they go through a series of steps performed by different parts of the Key Distribution Center. Kerberos runs as a third-party trusted server known as the Key Distribution Center (KDC). Each user and service on the network is a principal.
- User’s login and request services on the host. Thus users request a ticket-granting service.
- After verifying the client generates a Ticket Granting Ticket and sends it to the Client.
- The client decrypts the message. The client uses the client/user secret key to decrypt the message and extract the SK1 and TGT, generating the authenticator that validates the client’s TGS.
- A client sends the current TGT to the TGS with the Service Principal Name (SPN) of the resource the client wants to access.
- The KDC verifies the TGT of the user and that the user has access to the service.
Advantages of GSSAPI
- Passwords are never sent across the network because only keys are sent in an encrypted form.
- Kerberos is a crucial component of today’s enterprises. The protocol allows excellent access control.
- The Kerberos protocol allows both the User and the Service to authenticate one another, ensuring each party is genuine.
- Kerberos authentications are reusable and durable. The user only verifies to the Kerberos system once.
Disadvantages of GSSAPI
- If a non-authorized user has access to the Key Distribution Center, the whole authentication system is compromised.
- If the Kerberos server goes down, users cannot log in. Fallback authentication mechanisms and secondary servers are typical solutions to this problem.
- Both user machines and service servers must be designed with Kerberos authentication in mind.