More Than Just a Number

Discover your age in years months days hours and fascinating milestones you've reached

Kerberos

Enhanced Definition

Kerberos is a network authentication protocol that provides strong authentication for client/server applications by using secret-key cryptography. In the z/OS environment, it enables secure verification of user and service identities across a distributed network, preventing the transmission of plaintext passwords and protecting against replay attacks. It is designed to operate in a trusted realm where all participants trust a central Key Distribution Center (KDC).

Key Characteristics

- Symmetric-Key Cryptography: Relies on shared secret keys between the client, server, and the Key Distribution Center (KDC) for secure communication and authentication.
- Ticket-Based Authentication: Uses temporary, encrypted tickets (Ticket-Granting Ticket - TGT, Service Ticket - ST) instead of passwords for authentication, which are valid for a limited duration.
- Centralized KDC: A central server, the KDC, is responsible for issuing TGTs and STs, comprising an Authentication Server (AS) and a Ticket-Granting Server (TGS).
- Single Sign-On (SSO): Facilitates single sign-on within its security realm, allowing users to authenticate once and access multiple services without re-entering credentials.
- Replay Attack Prevention: Incorporates timestamps and nonces within tickets and authenticators to prevent attackers from reusing intercepted authentication data.
- z/OS Implementation: Integrated into z/OS as part of the TCP/IP stack, allowing z/OS applications and services to act as Kerberos clients or servers.

Use Cases

- Secure FTP and Telnet/TN3270 Access: Authenticating users accessing z/OS FTP servers or TN3270 sessions, eliminating the need to send passwords over the network.
- Distributed Application Integration: Providing secure authentication for distributed applications (e.g., Java applications, middleware) that need to access z/OS resources like DB2 or CICS.
- NFS (Network File System) on z/OS: Authenticating users accessing NFS shares hosted on z/OS, ensuring only authorized users can mount and access files.
- SSH (Secure Shell) on z/OS: Enabling Kerberos authentication for SSH clients connecting to z/OS, offering an alternative to password or public-key authentication.
- WebSphere Application Server for z/OS: Integrating with Kerberos to provide secure authentication for users accessing applications deployed on WebSphere, often leveraging SPNEGO (Simple and Protected GSSAPI Negotiation Mechanism).

Related Concepts

Kerberos primarily handles authentication, often working in conjunction with z/OS's native security manager, RACF (Resource Access Control Facility), which handles authorization. Kerberos verifies *who you are*, and RACF determines *what you can do*. User principals authenticated by Kerberos are typically mapped to RACF user IDs, allowing RACF to enforce resource access rules. It operates over TCP/IP networks and can integrate with LDAP (Lightweight Directory Access Protocol) directories for user principal information.

Best Practices:

High Availability for KDC: Implement redundant and highly available Key Distribution Centers (KDCs) to ensure continuous authentication services for z/OS and other clients.
Time Synchronization: Maintain strict time synchronization across all Kerberos clients, servers, and the KDC to prevent authentication failures due to clock skew.
Secure Key Management: Protect the Kerberos master keys and service principal keys with the highest level of security, rotating them periodically as per security policies.
Least Privilege for Service Principals: Configure Kerberos service principals with the minimum necessary privileges required to perform their functions.
Auditing and Logging: Enable comprehensive auditing and logging of Kerberos authentication events on both the KDC and z/OS systems to detect and respond to potential security incidents.