Kerberos is an authentication protocol that supports the concept of Single Sign-On (SSO). Having authenticated once at the start of a session, users can access network services throughout a Kerberos realm without authenticating again. Kerberos achieves this through the use of ‘tickets’ (which prove the identity of one Kerberos ‘principal’ to another) and ‘Key Distribution Centres’ (KDCs, which are responsible for issuing tickets).
There are three notable Open Source implementations of Kerberos: MIT Kerberos, Heimdal, and GNU Shishi. Kerberos is also one of the technologies on which Microsoft Active Directory is based. Network services that are capable of using Kerberos for authentication include SSH, HTTP, IMAP, NFSv4 and LDAP.
Kerberos support is often provided via an intermediate mechanism such as GSS-API and/or SASL. For this reason, clients and servers that are capable of authenticating using Kerberos do not necessarily mention it by name in their documentation. In the specific case of HTTP, other relevant terms include SPNEGO, ‘integrated authentication’ and ‘negotiate authentication’.
- Add a host or service principal to a keytab using MIT Kerberos
- Configure Apache to use Kerberos authentication
- Configure Chromium to authenticate using SPNEGO and Kerberos
- Configure Firefox to authenticate using SPNEGO and Kerberos
- Create a host principal using MIT Kerberos
- Create a service principal using MIT Kerberos
- Kerberos: The Network Authentication Protocol (official website for MIT Kerberos)
- Heimdal (official website)
- GNU Shishi (official website)
- Neuman et al, The Kerberos Network Authentication Service (V5), RFC 4120, IETF, July 2005