What is 'Kerberos'?
Kerberos is an authentication service developed at MIT.
In the traditional approach to authentication, which is known as authentication by assertion the program that runs on behalf of the user (the client) asserts to the secondary service that it is a bona fide representative of the user. The service usually authenticates the client by asking it for some secret information, such as a password.
There are two main problems with this:
Kerberos works in a slightly different way, in that a user must provide a valid ticket when contacting a service. Tickets are issued by the Kerberos authentication server and demonstrate knowledge that only the bearer can know, such as a password.
Kerberos requires that both the user and the service be registered with the authentication service. When the client wants to contact the service, it first talks to the authentication service, and is issued with a ticket. The ticket is then passed to the service along with the service request. The ticket has an expiry time of about 5 minutes after the initial request, and is also encrypted, so is very difficult to forge.
For more details on how Kerberos works, read the introduction at www.isi.edu