Apple Developer Connection
Advanced Search
Member Login Log In | Not a Member? Contact ADC

Kerberos: Highly Secure Single Sign-On Authentication in Mac OS X

A strong, secure network authentication protocol is crucial to all modern computing infrastructures. Whether you are sending login information over the Internet, a corporate intranet, or wireless LAN, opportunities for malicious users to gain access to protected data must be carefully considered. To address this risk, Mac OS X implements Kerberos, an open-source, single sign-on authentication protocol developed and maintained at the Massachusetts Institute of Technology (MIT).

This article discusses Kerberos in Mac OS X and how the protocol is used for secure Single Sign On authentication. The importance of this secure, standards-based methodology will be discussed from both a system administrator and developer perspective.

What Is Kerberos?

Picture walking into the local county fair, and you are given two choices. You can either use your credit card at the entry of every ride or you can use it once at a booth, which grants you a ticket that you can use for the remainder of the day. It's a pretty simple choice if you're concerned about the security of your credit card information and want to have a hassle-free day at the park.

This is exactly what Kerberos accomplishes in its implementation of Single Sign On in network environments. At the beginning of the workday, a user enters his/her password into the system once; this action decrypts a ticket from a server running as a Kerberos Key Distribution Center (KDC). The ticket holds a set of encrypted keys, which are used throughout the day to authenticate user access without exchanging sensitive password information. It expires after a given amount of time (typically one day), so even if a would-be intruder sniffs it out and decrypts the information, the user-access information remains safe in the long term.

Brief History of Kerberos

Researchers at MIT took early notice of the problems inherent in sending sensitive data across computer networks. The basic tenet is the assumption that all data transmitted across a network—whether behind a firewall, on an intranet, or across the Internet—should be secured through a third-party authentication process and strong cryptography. After working through internal versions at MIT, the first public version of Kerberos (version 4) was released to the public in 1987.

A robust development cycle has continued since then, working under the version 5 specification since 1993. The latest Kerberos is version 5, release 1.5 (in Mac OS X, it's often referred to as Kerberos 5.5).

How Kerberos Works

Here's a brief description of how Kerberos works.

Kerberos uses three major components to implement secure authentication:

  1. Kerberos KDC: Kerberos is integrated into Open Directory in Mac OS X, thus the Open Directory Master runs the KDC for Kerberos. Active Directory can also be used as a KDC for Mac OS X clients.
  2. Kerberized Service: A Kerberized service is an application that can use Kerberos to grant access to users (e.g., Apple Mail, SSH).
  3. Kerberos Client: A Kerberos client is the user who is requesting access to a Kerberized service.

Whereas the KDC holds everything together, Kerberos' purpose is to authenticate client-service access, so the client and service are referred to as Kerberos principals and the KDC is referred to as the third party.

Each principal has a unique encryption key known only to the principal and the KDC. The KDC also has its own unique encryption key. The basic concept relies on the KDC to issue session keys inside Ticket Granting Tickets (TGTs) to clients and services, authenticating services without transmitting passwords or allowing each principal access to any private key other than its own. Instead, the KDC issues a TGT, which holds client information and the session key that expires after a period of time (typically 10 hours).

Understanding the session key is critical to understanding how Kerberos works. The process is roughly equivalent to passing an encrypted password over the network (which is what Kerberos avoids), with the critical advantage of an expiration time. In other words, if someone does sniff out and decrypt the information in a TGT, the breach will be limited to the current session.

From a network security standpoint, the advantages of this strategy are similar to users changing their passwords every 10 hours (the default session time), which every system administrator knows is an unrealistic expectation.

Kerberos in Mac OS X

Kerberos is Apple's choice for a system-wide Single Sign On technology, and Mac OS X continues to enable applications for Kerberos. It was first introduced in Mac OS X v10.2 Jaguar. In its first Mac OS X release, enabling Kerberos required a manual configuration process. Since the release of Mac OS X v10.3 Panther, Kerberos authentication has been integrated into Open Directory, which makes the setup process much easier. Setting up an Open Directory master will automatically enable that server as a Kerberos KDC.

You can check to see if Kerberos is running by connecting to the Open Directory master with Server Admin and selecting Open Directory from the Services list. If it isn't running, check the Mac OS X Server guides: Open Directory Administration Guide (.PDF, 3MB) and the Network Services Administration Guide (.PDF, 980KB) for Open Directory and Kerberos setup information.

In Mac OS X v10.4 Tiger, WebDav and VPN access became Kerberized, which means they each can use Kerberos for single sign-on authentication. Kerberized utilities in Mac OS X now include Safari, SSH, SMB, Mail, Telnet, VPN client, and the Apple Filing Protocol (AFP) client. Mac OS X also includes Kerberos.app, which is a GUI-based Kerberos ticket-granting application designed specifically for Mac. You can find Kerberos.app in /System/Library/CoreServices/. Kerberos.app is a system utility that can be used to explicitly request and retrieve a ticket from a Kerberos KDC if a user's Mac OS X login isn't set to do this automatically with Open Directory. Kerberos.app is typically used by administrators; general purpose use of Kerberos is transparent to the user. To add support for additional applications, such as Eudora and Fetch, users can download Mac OS X Kerberos Extras from the MIT project page.

Kerberos for Mac OS X System Administrators

A system administrator who is new to Kerberos might wonder what problem Kerberos really solves. Many system administrators and developers are comfortable implementing secure applications with standard passwords, SSL, and certificates. The key unique features of Kerberos are Single Sign On and third-party authentication, each of which adds significantly to both security and an efficient user-level login process.

Single Sign On contributes to a secure network environment by giving users a single username and password with a standardized security profile across all Kerberized applications. Remembering this password and changing it according to your organizations security guidelines is simplified because it is done in just one place.

The third-party authentication system in Kerberos is a significant advantage over many other security protocols because passwords not only don't cross the network in clear text—Kerberos keeps passwords off the network altogether.

A downside of third-party authentication is the reliance on the KDC to be up and running for users to get access to services. In enterprise and mission-critical environments, it's important for system administrators to create at least one fail-over KDC. In Mac OS X, this can be implemented with an Open Directory Replica that runs alongside an Open Directory Master. This fail-over KDC can be configured in Server Admin.

Kerberos for Mac OS X Developers

Kerberos is compelling from a developer standpoint, as it allows applications to authenticate users with a standards-based, open-source process that's deployed across a variety of operating systems. Most versions of UNIX, Linux and Windows have built-in Kerberized features. Kerberos is a wise choice for authentication in general, but applications designed for multiplatform use are especially well suited to be Kerberized.

The Kerberos Framework in Mac OS X includes:

  • Kerberos v5

    This is the latest version of Kerberos, version 5, release 1.5 (in Mac OS X, it's often referred to as Kerberos 5.5).

  • Generic Security Service Application Program Interface (GSS-API)

    The definition of GSS-API (which is used in the Mac OS X implementation of Kerberos) is basically equivalent to Kerberos v5, but is used to denote the application interface for developers. *

  • Login Library

    This part of the API gives developers the tools to automate login for Kerberized applications (i.e., SSO)

  • Kerberos v4

    Some older Kerberized applications still use the Kerberos v4 spec, so it's important that this is included in any Kerberos framework.

  • KClient

    KClient provides an application programming interface (API) for Kerberos v4 services.

* Some implementations, such as the Windows implementation of Kerberos, use proprietary forks of the API with different names. The Windows variant is called Security Support Provider Interface (SSPI). It has proprietary elements but is generally considered similar enough to create comparable ports and interoperability between the two platforms.

Mac developers who stick to the Kerberos v5/GSS-API can be confident they won't have to significantly rewrite code as they move applications across platforms and upgrade to new versions. The GSS-API is an Internet Engineering Task Force (IETF) standard that can be used for a wide variety of security purposes but is most often found in Kerberos-related codes. GSS-API assumes a client-server architecture and standardizes the authentication process between two systems. The idea is to allow developers to work with a single API, regardless of which security system is implemented. This allows varied security systems to build in interoperability with Kerberos by using the API; for instance, packages such as OpenLDAP, SSH, and CVS all have been Kerberized by utilizing GSS-API calls in their code.

The development community is highly active, both on the open-source side and in the development of proprietary solutions associated with Kerberos. Developers of applications that operate in network environments can and should take advantage of the open platform Kerberos is based on. Both the user base and the application developers benefit from Kerberized applications. Users get Single Sign On and the confidence of secure authentication. Developers get to leverage a proven infrastructure for secure authentication without having to reinvent the wheel, while retaining the flexibility of developing custom codes by working directly with the open-source API.

Continued Improvements

As the MIT Kerberos Development Team continues to work closely with Apple, each version of Mac OS X adds new features and security based on Kerberos. In Mac OS X v10.4 Tiger, Kerberos for Macintosh 5.5 added an Apple-designed Kerberos authentication dialog and a new version of the Kerberos application (Kerberos.app) that includes a graphical realms editor and is Cocoa based.

For More Information

  • See the MIT Kerberos project page to learn more about Kerberos in general and to get complete documentation, source code, and advisories.
  • Mac OS X system administrators can visit the Apple Servers Resources site to obtain information about setting up and using Kerberos with Open Directory.
  • Mac OS X developers can obtain detailed papers and documentation of the Kerberos Framework in Mac OS X, including Kerberos v4, Kerberos v5, GSS-API, C-Bindings, and KClient, by visiting MIT's Mac OS X Kerberos resource page.

Updated: 2008-09-18