Đang chuẩn bị liên kết để tải về tài liệu:
hack proofing linux a Guide to Open Source Security phần 6

Chính này công nhận dịch vụ FTP cho các dịch vụ www.yourcompany.com. Bất kỳ người sử dụng đúng cách xác thực với KDC và những người được phép truy cập vào dịch vụ này sau đó sẽ có thể sử dụng dịch vụ FTP trên máy chủ www.yourcompany.com. Nhiều lần, tuy nhiên, một hiệu trưởng không có một cá thể. Ví dụ, nó có thể tạo ra một chính người sử dụng, sẽ xuất hiện như sau: | Network Authentication and Encryption Chapter 6 323 Figure 6.10 A Kerberos Principal Principal Primary Host Instance www.yourcompany.com Realm @YOURCOMPANY.COM The following is an example of a host daemon principal ftp www.yourcompany.com@YOURCOMPANY.COM This principal recognizes the FTP service for the www.yourcompany.com service. Any user who properly authenticates with the KDC and who is allowed access to this service will then be able to use the FTP service on the www.yourcompany.com host. Many times however a principal does not have an instance. For example it is possible to create a user principal which would appear as follows james@YOURCOMPANY.COM.This principal would allow a user to log on to any host in a Kerberos realm.You can of course specify an instance for a user. For example the following principal would allow login to only the system named www.yourcompany.com james www.yourcompany.com @YOURCOMPANY.COM The Kerberos Authentication Process The information in the next couple of paragraphs is greatly simplified but it is more than enough from a system administrator s point of view.When a Kerberos client first obtains a TGT from the KDC this token does not actually provide access to any particular daemon or network service. It is simply a token that informs other hosts that the KDC has authenticated this host and that this host and user can request services from other hosts. Because the TGT is signed by the user s password and turned into a hash the user can use the kinit command and his own password to generate the same hash and make a comparison between the two. If the TGT and password match then a session key is established and a credential cache is created usually in a file in the tmp directory. www.syngress.com 324 Chapter 6 Network Authentication and Encryption After the credential cache file is populated with the TGT the host and user can then use this TGT to actually log on to hosts and request services.When it comes time for a user a principal to