Linux Exposed: Kerberos Security
Sep 23, 2003, 10:00 (0 Talkback[s])
[ Thanks to Denon
for this link. ]
"Kerberos is a network authentication system that can help solve
those two issues. It reduces the number of passwords each user has
to memorize to use an entire network to one the Kerberos password.
In addition, Kerberos incorporates encryption and message integrity
to solve the second issue, ensuring that sensitive authentication
data is never sent over the network in the clear. By providing a
secure authentication mechanism, Kerberos is an essential part of a
total network security plan, providing clear benefits for both end
users and administrators. It is important to recognize that
implementing Kerberos on your network does not guarantee perfect
security. While Kerberos is extremely secure in a theoretical
sense, there are many practical security issues to be considered.
In addition, it is important to remember that Kerberos provides
only an authentication service; it does not prevent compromises
caused by buggy server software, administrators granting
permissions to unauthorized users, or poorly chosen passwords.
"While most documentation on the subject of Kerberos security
simply says to 'secure the KDC,' there is much more to the story of
Kerberos security than turning off unnecessary services on your KDC
machines (although that is certainly good advice!). In this
article, we will begin with a discussion of potential attacks
against your Kerberos authentication system, follow up with steps
that should be taken to prevent these attacks, and finally examine
Kerberos KDC logs. After reading this article, you should
understand the security implications that Kerberos presents and how
to protect your network from the attack scenarios presented..."