7-33
Cisco Catalyst Blade Switch 3020 for HP Software Configuration Guide
OL-8915-03
Chapter 7 Configuring Switch-Based Authentication
Controlling Switch Access with Kerberos
This software release supports Kerberos 5, which allows organizations that are already using Kerberos 5
to use the same Kerberos authentication database on the KDC that they are already using on their other
network hosts (such as UNIX servers and PCs).
In this software release, Kerberos supports these network services:
• Telnet
• rlogin
• rsh (Remote Shell Protocol)
Table 7-2 lists the common Kerberos-related terms and definitions:
Table 7-2 Kerberos Terms
Term Definition
Authentication A process by which a user or service identifies itself to another service. For example, a client
can authenticate to a switch or a switch can authenticate to another switch.
Authorization A means by which the switch identifies what privileges the user has in a network or on the
switch and what actions the user can perform.
Credential A general term that refers to authentication tickets, such as TGTs
1
and service credentials.
Kerberos credentials verify the identity of a user or service. If a network service decides to trust
the Kerberos server that issued a ticket, it can be used in place of re-entering a username and
password. Credentials have a default lifespan of eight hours.
Instance An authorization level label for Kerberos principals. Most Kerberos principals are of the form
user@REALM (for example, smith@EXAMPLE.COM). A Kerberos principal with a Kerberos
instance has the form user/instance@REALM (for example, smith/admin@EXAMPLE.COM).
The Kerberos instance can be used to specify the authorization level for the user if
authentication is successful. The server of each network service might implement and enforce the
authorization mappings of Kerberos instances but is not required to do so.
Note The Kerberos principal and instance names must be in all lowercase characters.The
Kerberos realm name must be in all uppercase characters.
KDC
2
Key distribution center that consists of a Kerberos server and database program that is running
on a network host.
Kerberized A term that describes applications and services that have been modified to support the Kerberos
credential infrastructure.
Kerberos realm A domain consisting of users, hosts, and network services that are registered to a Kerberos
server. The Kerberos server is trusted to verify the identity of a user or network service to
another user or network service.
Note The Kerberos realm name must be in all uppercase characters.
Kerberos server A daemon that is running on a network host. Users and network services register their identity
with the Kerberos server. Network services query the Kerberos server to authenticate to other
network services.
KEYTAB
3
A password that a network service shares with the KDC. In Kerberos 5 and later Kerberos
versions, the network service authenticates an encrypted service credential by using the
KEYTAB to decrypt it. In Kerberos versions earlier than Kerberos 5, KEYTAB is referred to as
SRVTAB
4
.
Principal Also known as a Kerberos identity, this is who you are or what a service is according to the
Kerberos server.
Note The Kerberos principal name must be in all lowercase characters.
To Next Page
Loading...
