I'm coping with making kerberized connections to databases. I believe I realize the fundamentals of kerberization. The consumer demands the "Authentication Server" a part of KDC to obtain TGT (Ticket Granting ticket) after which once the user must access something which needs the consumer to authenticate, the consumer transmits the TGT to a different a part of KDC, which supplies the "service ticket" after validating the user is permitted to gain access to the service. The consumer then forwards this "Service ticket" towards the server and will get the service.

I've also heard about the idoms "kerberos login" and "kerberos password". I do not quite know very well what exactly they mean and make reference to?

Any pointers please?


You'll need another term first: the "Kerberos Principal". You can say it's the "full login title". If you work with passwords for authentication (and never something safer like wise cards), your "Kerberos Password" may be the password accustomed to authenticate your Kerberos Principal.

Both are utilized to authenthicate the consumer for the AS = Authentication Server(the password isn't send out of the woods, obviously!). When the authentication is granted, the consumer receives an Session Key.

The Session Key then can be used to request for TGTs - you overlooked the authentication part of your summary. The Authentication server won't ever handle anything about TGTs, that is what check in Granting Services are for. (Even when both of them are implemented on a single machine, they're still independent services.)

It's all regulated not too complicated, really it's mainly terminology.

To begin with, browse the Wikipedia article on Kerberos or take a look at some diagrams like this one or this. For reference, read The Kerberos Tutorial. (Also of great interest might be Designing an Authentication System: a Dialogue in Four Scenes which describes the explanation behind Kerberos, and John Tung's "The Moron's Guide to Kerberos".)

Hopefully solutions all - otherwise, please rephrase / improve your question.