Kerberos (GSSAPI) Authentication

Kerberos is a security protocol that provides an alternate mechanism for both client and server authentication. Kerberos authentication relies on a trusted third party called the KDC (Key Distribution Center). The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface).

Advantages of using Kerberos authentication include:

  • Using a trusted third party eliminates the key management tasks you encounter when you use public key authentication.
  • When Kerberos is used for server authentication, no host key is required. This means that client users won't need to respond to an unknown host prompt.

Server Authentication using GSSAPI

By default, Secure Shell connections are established using this sequence of events:

  1. Key exchange — the client and server negotiate a shared secret key, cipher, and hash for the session.
  2. Server authentication — by default, the server presents a host key for this purpose.
  3. Client authentication.

When GSSAPI is used for server authentication, the Kerberos KDC authenticates the server during the initial key exchange. No subsequent server authentication is needed, and the server never sends a host key to the client.

Client Authentication using GSSAPI

After a user has authenticated to the KDC, that user holds Kerberos credentials that can be used by other kerberized applications. When you configure Reflection for Secure IT to support GSSAPI, the server uses Kerberos credentials to authenticate client users. This means that users who have authenticated to the KDC need no additional authentication to connect to the server.

Related Topics

Kerberos System Requirements

Configure Kerberos Server and Client Authentication