Kerberos (GSSAPI) Authentication

Kerberos is a security protocol that provides an alternate mechanism for both client and server authentication. Kerberos authentication relies on a trusted third party called the KDC (Key Distribution Center). The Secure Shell protocol supports Kerberos authentication via GSSAPI (Generic Security Services Application Programming Interface).

Reflection for Secure IT supports Kerberos authentication when the KDC is a Windows domain controller. Both the client user and server host must be part of the same Windows domain.

Note: Windows operating systems starting with Windows 2000 manage authentication using Kerberos version 5. The KDC is maintained on the Windows domain controller and Active Directory is used to manage the security account database.

Advantages of using Kerberos authentication include:

  • Using a trusted third party eliminates the key management tasks you encounter when you use public key authentication.
  • Client users who log into the Windows domain need no additional authentication to connect to the Reflection for Secure IT server.
  • When Kerberos is used for server authentication, no host key is required. This means that client users won't need to respond to an unknown host prompt.

Server Authentication using GSSAPI

By default, Secure Shell connections are established using this sequence of events:

  1. Key exchange — the client and server negotiate a shared secret key, cipher, and hash for the session.
  2. Server authentication — by default, the server presents a host key for this purpose.
  3. Client authentication.

When GSSAPI is used for server authentication, the Kerberos KDC authenticates the server during the initial key exchange. No subsequent server authentication is needed, and the server never sends a host key to the client.

Client Authentication using GSSAPI

After a user has authenticated to a Windows domain, that user holds Kerberos credentials that can be used by other Kerberized applications. When you configure Reflection for Secure IT to support GSSAPI, the server uses Kerberos credentials to authenticate client users. This means that users who have authenticated to the Windows domain need no additional authentication to connect to the server.

Related Topics

Configure GSSAPI Server and Client Authentication