Kerberos; What Is Kerberos - Red Hat ENTERPRISE LINUX 3 Reference Manual

System security and integrity within a network can be unwieldy. It can occupy the time of several
administrators just to keep track of what services are being run on a network and the manner in which
these services are used. Moreover, authenticating users to network services can prove dangerous when
the method used by the protocol is inherently insecure, as evidenced by the transfer of unencrypted
passwords over a network under the FTP and Telnet protocols. Kerberos is a way to eliminate the need
for protocols that allow unsafe methods of authentication, thereby enhancing overall network security.

18.1. What is Kerberos?

Kerberos is a network authentication protocol created by MIT which uses symmetric-key cryptog-
1
raphy to authenticate users to network services — eliminating the need to send passwords over the
network. When users authenticate to network services using Kerberos, unauthorized users attempting
to gather passwords by monitoring network traffic are effectively thwarted.
18.1.1. Advantages of Kerberos
Most conventional network services use password-based authentication schemes. Such schemes re-
quire a user to authenticate to a given network server by supplying their user name and password.
Unfortunately, the transmission of authentication information for many services is unencrypted. For
such a scheme to be secure, the network has to be inaccessible to outsiders, and all computers and
users on the network must be trusted and trustworthy.
Even if this is the case, once a network is connected to the Internet, it can no longer be assumed
that the network is secure. Any attacker who gains access to the network can use a simple packet
analyzer, also known as a packet sniffer, to intercept usernames and passwords sent in this manner,
compromising user accounts and the integrity of the entire security infrastructure.
The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across
the network. If used properly, Kerberos effectively eliminates the threat packet sniffers would other-
wise pose on a network.
18.1.2. Disadvantages of Kerberos
Although Kerberos removes a common and severe security threat, it may be difficult to implement for
a variety of reasons:
Migrating user passwords from a standard UNIX password database, such as
•
, to a Kerberos password database can be tedious, as there is no automated mech-
/etc/shadow
anism to perform this task. For more information, refer to question number 2.23 in the online
Kerberos FAQ:
http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system
•
used by most Red Hat Enterprise Linux servers. For more information about this issue, refer to
Section 18.4 Kerberos and PAM.
1. A system where both the client and the server share a common key that is used to encrypt and decrypt
network communication
Chapter 18.

Kerberos

/etc/passwd
or