Kerberos (GSSAPI) Authentication
Kerberos is a security protocol that provides an alternate mechanism for both client and server authentication. Kerberos authentication relies on a trusted third party called the KDC (Key Distribution Center). The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface).
Reflection for Secure IT supports Kerberos authentication when the KDC is a Windows domain controller. Both the client user and server host must be part of the same Windows domain.
Note: Windows operating systems starting with Windows 2000 manage authentication using Kerberos version 5. The KDC is maintained on the Windows domain controller and Active Directory is used to manage the security account database.
Advantages of using Kerberos authentication include:
Server Authentication using GSSAPI
By default, Secure Shell connections are established using this sequence of events:
When GSSAPI is used for server authentication, the Kerberos KDC authenticates the server during the initial key exchange. No subsequent server authentication is needed, and the server never sends a host key to the client.
Client Authentication using GSSAPI
After a user has authenticated to a Windows domain, that user holds Kerberos credentials that can be used by other Kerberized applications. When you configure Reflection for Secure IT to support GSSAPI, the server uses Kerberos credentials to authenticate client users. This means that users who have authenticated to the Windows domain need no additional authentication to connect to the server.