Home > Articles > Certification > Cisco Certification > CCNP Security / CCSP

  • Print
  • + Share This
This chapter is from the book

Kerberos Overview

Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services.

In the Kerberos protocol, this trusted third party is called the Key Distribution Center (KDC). It performs the same function as a certification authority (CA), which is discussed in Chapter 9, "Building Advanced IPSec VPNs Using Cisco Routers and Certificate Authorities." The following lists some of the distinguishing characteristics of Kerberos:

  • Secret-key authentication protocol

  • Authenticates users and network services that they use

  • Uses 40- or 56-bit DES for encryption and authentication (weak by today's standards)

  • Relies on a trusted third party (KDC) for key distribution

  • Embodies "single login" concept

  • Expensive to administer—labor intensive

Cisco IOS Release 12.0 includes Kerberos 5 support, which allows organizations that are already deploying Kerberos 5 to use an existing KDC (similar to a CA in IP Security [IPSec]) with their routers and NAS. The following network services are Kerberized in Cisco IOS software:

  • Telnet—Logs a client (from router to another host) into a server (from another host to router) to permit interactive Telnet sessions

  • rlogin—Logs a user in to a remote UNIX host for an interactive session similar to Telnet

  • rsh—Logs a user in to a remote UNIX host and allows execution of one UNIX command

  • rcp—Logs a user in to a remote UNIX host and allows copying of files from the host


You can use the connect EXEC command with the /telnet or /rlogin keyword to log in to a host that supports Telnet or rlogin, respectively. You can use the /encrypt kerberos keyword to establish an encrypted Telnet session from a router to a remote Kerberos host. Alternatively, you can use the telnet EXEC command with the /encrypt kerberos keyword to establish an encrypted Telnet session.

You can use the rlogin and rsh EXEC commands to initiate rlogin and rsh sessions.

You can use the copy rcp EXEC command or configuration command to enable obtaining configuration or image files from an RCP server.

  • + Share This
  • 🔖 Save To Your Account