Ora

What is Kerberos cache?

Published in Kerberos Authentication 7 mins read

A Kerberos cache, often referred to as a Kerberos credential cache, is a crucial component in the Kerberos authentication system that holds Kerberos protocol credentials in semipermanent storage. It serves as a temporary repository for tickets, session keys, and other identifying information, allowing clients to securely access network services without re-entering their credentials for every request.

What is the Kerberos Credential Cache?

The Kerberos credential cache is a local storage mechanism, typically a file or an area in memory, that stores a user's authenticated Kerberos credentials. When a user successfully authenticates to the Kerberos Key Distribution Center (KDC), the resulting credentials—such as the Ticket Granting Ticket (TGT) and associated session keys—are stored in this cache. The Kerberos protocol reads credentials from the cache as they are required and stores new credentials in the cache as they are obtained, enabling efficient and seamless access to multiple services.

Purpose and Functionality

The primary purpose of the Kerberos cache is to facilitate Single Sign-On (SSO) and optimize network authentication. Without a cache, a client would need to request new credentials from the KDC for every service it wished to access, leading to repetitive authentication prompts, increased network traffic, and slower service access.

Here's how it functions:

  1. Initial Authentication: A user logs in and authenticates to the KDC, typically via the kinit command on Unix-like systems or automatic logon on Windows.
  2. TGT Acquisition: The KDC issues a Ticket Granting Ticket (TGT) and a session key. These are stored in the user's credential cache.
  3. Service Ticket Requests: When the user attempts to access a Kerberized service (e.g., an NFS share, SSH, a web application), the client retrieves the TGT from the cache.
  4. Service Ticket Acquisition: The client then uses the TGT to request a service ticket for the specific service from the KDC.
  5. Service Ticket Storage: The newly acquired service ticket is also stored in the credential cache.
  6. Service Access: The client presents the service ticket to the target service for authentication. This process avoids direct password transmission and repeated KDC contact for already-authenticated services.

This cycle continues until the TGT or service tickets expire, at which point new ones must be obtained.

Contents of the Cache

The Kerberos credential cache contains essential pieces of information required for subsequent authentications. These typically include:

  • Ticket Granting Ticket (TGT): The initial ticket obtained from the KDC, which serves as proof of identity and is used to request service tickets.
  • Service Tickets: Tickets specifically issued for accessing individual network services (e.g., for host/server.example.com@REALM).
  • Session Keys: Symmetric encryption keys shared between the client and the KDC (for TGTs) or the client and the service (for service tickets). These keys are used to encrypt communication and verify identity.
  • Other Identifying Information: Details such as the principal name, expiration times, and flags associated with the tickets.
Component Description Role in Kerberos Authentication
TGT A special Kerberos ticket that proves the user's identity to the KDC's Ticket-Granting Service (TGS). Used to request service tickets for specific network services without re-entering the user's password.
Service Ticket A ticket issued by the KDC (via the TGS) for a particular network service. Presented directly to the target service to authenticate the user and authorize access.
Session Key A shared secret key established between the client and the KDC or between the client and a service. Used for encrypting secure communications and verifying the authenticity and integrity of messages during a session.
Expiration Time The timestamp indicating when a ticket or TGT will no longer be valid. Ensures that credentials are not used indefinitely and promotes security by requiring periodic re-authentication.
Flags Attributes of the ticket, such as whether it's renewable, proxiable, or postdatable. Define the behavior and capabilities of the ticket, impacting how it can be used or extended.

Types and Locations of Credential Caches

Kerberos caches can reside in different locations and forms depending on the operating system and Kerberos implementation.

Cache Types

  • File-based Cache: The most common type on Unix-like systems (Linux, macOS). The credentials are stored in a file in the user's home directory or a system-wide temporary directory. This file is typically owned by the user and has restrictive permissions.
  • Memory-based Cache: Often used on Windows systems (e.g., within the Local Security Authority Subsystem Service - LSASS) and increasingly available as an option on Unix-like systems. Credentials are held in volatile memory, which can offer enhanced security by making them harder to extract from disk, but they are lost upon system reboot.
  • Keyring Cache: Linux kernels offer a "keyring" service that can store credentials securely in kernel memory, accessible only by processes with appropriate permissions.

Common Locations and Configuration

The location of the credential cache is often determined by the KRB5CCNAME environment variable.

  • Unix-like Systems:
    • Default: If KRB5CCNAME is not set, it often defaults to /tmp/krb5cc_<uid> (where <uid> is the user ID) or FILE:/tmp/krb5cc_<uid>.
    • User-specific: Users can set KRB5CCNAME to point to a file in their home directory, e.g., export KRB5CCNAME=/home/user/.krb5cc.
    • Memory Cache: export KRB5CCNAME=MEMORY:persistent:0 (or similar, depending on the Kerberos library configuration).
    • Keyring Cache: export KRB5CCNAME=KEYRING:persistent:0 (Linux-specific).
  • Windows: Kerberos credentials are managed by the operating system and typically stored in protected memory within the LSA. Users rarely interact with a file-based cache directly.

Practical Aspects and Management

Managing the Kerberos cache is straightforward using command-line tools.

Viewing the Cache

The klist command is used to display the contents of the current Kerberos credential cache.

Example:

$ klist
Ticket cache: FILE:/tmp/krb5cc_1000
Default principal: [email protected]

Valid starting       Expires              Service principal
04/18/24 09:30:00    04/18/24 19:30:00    krbtgt/[email protected]
04/18/24 09:35:15    04/18/24 19:30:00    nfs/[email protected]

This output shows the default principal, the TGT (krbtgt/[email protected]), and a service ticket for NFS.

Obtaining a TGT (Initializing the Cache)

The kinit command is used to obtain a new TGT and populate the cache.

Example:

$ kinit [email protected]
Password for [email protected]:

After successful authentication, klist will show the new TGT.

Destroying the Cache

The kdestroy command is used to remove all credentials from the cache, effectively logging the user out of Kerberos. This is a crucial security measure, especially on shared systems.

Example:

$ kdestroy
$ klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_1000)

Security Considerations

Because the Kerberos cache holds sensitive authentication material, its security is paramount:

  • File Permissions: File-based caches must have strict permissions, typically readable and writable only by the owning user (0600).
  • Location: Avoid storing caches in publicly accessible directories.
  • Encryption: While the contents are encrypted using various keys, the cache itself is a target. Some implementations offer additional encryption for the cache file.
  • Expiration: Tickets have expiration times, limiting the window of opportunity for an attacker if a cache is compromised.
  • Secure Deletion: Always use kdestroy to securely remove credentials when they are no longer needed, particularly before logging off a public or shared workstation.

Benefits of Kerberos Caching

The Kerberos cache provides significant advantages in network environments:

  • Reduced Network Traffic: Eliminates the need for repeated KDC requests for every service access.
  • Improved Performance: Faster access to services due to fewer authentication round-trips.
  • Enhanced User Experience: Provides a seamless single sign-on experience, removing the need for users to re-enter passwords.
  • Stronger Security: By minimizing direct password usage and relying on time-limited tickets, it reduces the risk of password compromise.

The Kerberos cache is an indispensable element that balances security, efficiency, and user convenience in Kerberos-authenticated environments.

← Previous Article
What is a BOS Token?
Next Article →
What is the frequency range of a subwoofer?