Revision as of 11:41, 14 January 2010 by Ghudson
This page exists to help demystify the Kerberos acronym soup. When adding an entry, please include a brief description of the term, as well as a link to where more information can be found if the term is not defined in RFC 4120.
- AS: Authentication Service -- The conceptual part of a KDC which is used to obtain initial credentials using a password or stored key.
- AD: Active Directory -- A Microsoft product which makes use of a Kerberos implementation.
- AD: Authorization Data -- Contained within the encrypted part of a ticket, the authorization data contains information communicated from the KDC to a service which may restrict the use of the ticket.
- ccache or cc: Credentials Cache -- A file or other storage unit containing a list of tickets for the same client principal.
- DAL: Database Access Layer -- The plugin interface used to communicate between libkdb5 and the back-end database library (DB2, LDAP, or an external plugin).
- etype: Encryption Type -- A Kerberos-specific encryption algorithm which ensures confidentially and integrity of information. Kerberos etypes frequently make use of a symmetric cipher algorithm such as DES or AES and a hash algorithm such as MD5 or SHA-1. Many etypes are specified in RFC 3961 and RFC 3962.
- FAST: Flexible Authentication Secure Tunneling -- An extension of the Kerberos AS and TGS exchanges which increases the security of the communication path between the client and KDC. Defined in an Internet draft at this time. A pre-authentication mechanism which works with the FAST extension is called a FAST factor.
- GSSAPI: Generic Security Services Application Programming Interface -- An API which applications can use to access multiple token-based authentication mechanisms including Kerberos. Also the only consistent API across different Kerberos implementations. Defined in RFC 2743 (protocol) and RFC 2744 (C language bindings); the network protocol for the Kerberos GSSAPI mechanism is defined in RFC 4121.
- KDB: Kerberos Database -- The database of principals and keys used by a KDC in the MIT Kerberos implementation.
- KDC: Key Distribution Center -- A server which implements the conceptual AS and TGS services to provide authentication tickets to clients.
- keytab or kt: A file or other storage unit containing a list of long-term key entries for principals. For example, a server might use a keytab file to store its host key.
- PA-DATA or padata: Pre-Authentication Data -- A sequence of typed octet strings contained within KDC requests and responses. These were initially specified to support pre-authentication mechanisms but have also used to extend the Kerberos protocol in other ways.
- PAC: Privilege Attribute Certificate (or Privilege Access Certificate; sources conflict on the expansion) -- A Microsoft-defined authorization data type. More information available here.
- S4U: A pair of krb5 protocol extensions from Microsoft. The first, S4U2Self (aka "protocol transition"), allows a service to acquire service tickets from a client to itself, as if a client had authenticated to it with krb5. The second, S4U2Proxy (aka "constrained delegation") allows a service to request tickets from a client to another service if allowed by the KDC. Together these extensions allow a trusted service to act as an intermediary between a user and a second service.
- SASL: Simple Authentication Security Layer -- A framework which can be used to negotiate security mechanisms within a protocol using TCP. Kerberos is often used within SASL by means of SASL's GSSAPI mechanism. Currently the base SASL specification is RFC 4422, and the "GSSAPI" (Kerberos) SASL mechanism is specified by RFC 4752. SASL was originally specified in RFC 2222.
- SPNEGO: Simple and Protected GSSAPI Negotiation Mechanism -- A GSSAPI mechanism which can be used to negotiate which of several real mechanisms should be used. Defined in RFC 4178. (originally RFC 2478)
- TGS: Ticket-Granting Service -- The conceptual part of a KDC which is used to obtain service tickets using a TGT.
- TGT: Ticket-Granting Ticket -- A ticket with a specially named service principal, which can be used to obtain additional service tickets from the KDC.