Kerberos; What Is Kerberos; Advantages Of Kerberos; Disadvantages Of Kerberos - Red Hat ENTERPRISE LINUX 4.5.0 Reference Manual

Chapter 19.

Kerberos

System security and integrity within a network can be unwieldy. It can occupy the time of
several administrators just to keep track of what services are being run on a network and the
manner in which these services are used. Moreover, authenticating users to network services
can prove dangerous when the method used by the protocol is inherently insecure, as
evidenced by the transfer of unencrypted passwords over a network under the FTP and Telnet
protocols. Kerberos is a way to eliminate the need for protocols that allow unsafe methods of
authentication, thereby enhancing overall network security.

1. What is Kerberos?

Kerberos, a network authentication protocol created by MIT, uses symmetric-key cryptography
to authenticate users to network services — eliminating the need to send passwords over the
network. When users authenticate to network services using Kerberos, unauthorized users
attempting to gather passwords by monitoring network traffic are effectively thwarted.

1.1. Advantages of Kerberos

Most conventional network services use password-based authentication schemes. Such
schemes require a user to authenticate to a given network server by supplying their username
and password. Unfortunately, the transmission of authentication information for many services is
unencrypted. For such a scheme to be secure, the network has to be inaccessible to outsiders,
and all computers and users on the network must be trusted and trustworthy.
Even if this is the case, once a network is connected to the Internet, it can no longer be
assumed that the network is secure. Any attacker who gains access to the network can use a
simple packet analyzer, also known as a packet sniffer, to intercept usernames and passwords
sent in this manner, compromising user accounts and the integrity of the entire security
infrastructure.
The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords
across the network. If used properly, Kerberos effectively eliminates the threat packet sniffers
would otherwise pose on a network.

1.2. Disadvantages of Kerberos

Although Kerberos removes a common and severe security threat, it may be difficult to
implement for a variety of reasons:
• Migrating user passwords from a standard UNIX password database, such as
or , to a Kerberos password database can be tedious, as there is no automated
/etc/shadow
mechanism to perform this task. For more information, refer to question number 2.23 in the
1
A system where both the client and the server share a common key that is used to encrypt and decrypt network
communication.
1
/etc/passwd
343