Chapter 10.


Kerberos


Kerberos is a network authentication protocol created by MIT which uses secret key cryptography  


obviating the need to send passwords over the network. By authenticating using Kerberos, unautho 


rized users trying to intercept passwords on the network are effectively thwarted.


10.1. Advantages of Kerberos


Most conventional network systems use password based authentication schemes. When a user au 


thenticates to a network server, he must supply a user name and password for each service requiring


authentication. This information is sent over the network, and the server verifies their identity using


this information.


However, the transmission of authentication information for many services is in plain text. An attacker


with access to the network and a packet analyzer, also known as a packet sniffer, can intercept any


passwords sent in this manner.


The primary design goal of Kerberos is to eliminate the transmission across the network of authenti 


cation information. The proper use of Kerberos effectively eliminates the threat packet sniffers would


otherwise pose on a network.


10.2. Kerberos Disadvantages


Although Kerberos removes a common and severe security threat, it may be difficult to implement for


various reasons:


Migrating user passwords from a standard UNIX password database, such as


/etc/passwd


or


/etc/shadow


, to a Kerberos password database can be tedious as there is no automated mechanism


to perform this task. For more information, refer to question number 2.23 in the Kerberos FAQ at


the following URL: http://www.nrl.navy.mil/CCS/people/kenh/kerberos faq.html.


Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system


used by most servers running Red Hat Linux. For more information on this issue, see Section 10.5.


For an application to use Kerberos, its source must be modified to make the appropriate calls into


the Kerberos libraries. For some applications, this can be quite problematic due to size or frequency


that krb libraries must be called. For other applications, changes must be made to the way in which


the server and client side communicate. Again, this may require extensive programming. Closed 


source applications that do not have Kerberos support by default are often the most problematic.


Kerberos assumes that you are using trusted hosts on an untrusted network. Its primary goal is to


prevent plain text passwords from being sent across that network. However, if anyone other than


the proper user has physical access to any of the hosts, especially the one that issues tickets used


for authentication, the entire Kerberos authentication system is at risk of being compromised.


Kerberos is an all or nothing solution. If you decide to use Kerberos on your network, you must


remember any passwords transferred to a service which does not use Kerberos for authentication


run the risk of being captured by packet sniffers. Thus, your network gains no benefit from the


use of Kerberos. To secure your network with Kerberos, you must either kerberize all applications


which send plain text passwords or do not use those applications on your network at all.








footer






  


 


 


        

 


 

  

    

      
      
 Home 
      | About Us | Network 
      | Services | Support 
      | FAQ | Control Panel 
      | Order Online |
      Sitemap | Contact

      

      tomcat hosting

      
 

    

  

  




Our partners: 
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting 
Jsp Web Hosting 




Cheapest Web Hosting
Jsp Hosting
Cheap Hosting



Visionwebhosting.net Business web hosting division of Web 
Design Plus. All rights reserved