System security and integrity within a network can be unwieldy. It can
occupy the time of several administrators just to keep track of what
services are being run on a network and the manner in which these services
are used. Moreover, authenticating users to network services can prove
dangerous when the method used by the protocol is inherently insecure, as
evidenced by the transfer of unencrypted passwords over a network under
the FTP and Telnet protocols. Kerberos is a way to eliminate the need for
protocols that allow unsafe methods of authentication, thereby enhancing
overall network security.
Kerberos, a network authentication protocol created by MIT, uses
symmetric-key cryptography[1] to authenticate users to
network services — eliminating the need to send passwords over the
network. When users authenticate to network services using Kerberos,
unauthorized users attempting to gather passwords by monitoring network
traffic are effectively thwarted.
Most conventional network services use password-based authentication
schemes. Such schemes require a user to authenticate to a given network
server by supplying their username and password. Unfortunately, the
transmission of authentication information for many services is
unencrypted. For such a scheme to be secure, the network has to be
inaccessible to outsiders, and all computers and users on the network
must be trusted and trustworthy.
Even if this is the case, once a network is connected to the Internet,
it can no longer be assumed that the network is secure. Any attacker who
gains access to the network can use a simple packet analyzer, also known
as a packet sniffer, to intercept usernames and passwords sent in this
manner, compromising user accounts and the integrity of the entire
security infrastructure.
The primary design goal of Kerberos is to eliminate the transmission of
unencrypted passwords across the network. If used properly, Kerberos
effectively eliminates the threat packet sniffers would otherwise pose
on a network.
Although Kerberos removes a common and severe security threat, it may be
difficult to implement for a variety of reasons:
Migrating user passwords from a standard UNIX password
database, such as /etc/passwd or
/etc/shadow, to a Kerberos password database
can be tedious, as there is no automated mechanism to perform this
task. For more information, refer to question number 2.23 in the
online Kerberos FAQ:
Kerberos has only partial compatibility with the Pluggable
Authentication Modules (PAM) system used by most Red Hat Enterprise Linux servers. For
more information about this issue, refer to Section 19.4 Kerberos and PAM.
Kerberos assumes that each user is trusted but is using an
untrusted host on an untrusted network. Its primary goal is to
prevent unencrypted passwords from being sent across that
network. However, if anyone other than the proper user has access to
the one host that issues tickets used for authentication —
called the key distribution center
(KDC) — the entire Kerberos
authentication system is at risk.
For an application to use Kerberos, its source must be modified
to make the appropriate calls into the Kerberos
libraries. Applications modified in this way are considered to be
kerberized. For some applications, this can
be quite problematic due to the size of the application or its
design. For other incompatible applications, changes must be made to
the way in which the server and client side communicate. Again, this
may require extensive programming. Closed-source applications that
do not have Kerberos support by default are often the most
problematic.
Kerberos is an all or nothing solution. Once Kerberos is used on
the network, any unencrypted passwords transferred to a
non-kerberized service is at risk. Thus, the network gains no
benefit from the use of Kerberos. To secure a network with Kerberos,
one must either use kerberized versions of all
client/server applications which send unencrypted passwords or not
use any such client/server applications at all.
