On Wed, May 01, 2002 at 03:54:02PM -0500, Mike Hicks (hick0088 at tc.umn.edu) wrote: > On Tue, 2002-04-30 at 22:56, Bob Tanner wrote: > > Having an internal discussion at Real Time about kerberos. > [snip] > > Anyways, with openssh, ssl, generic TLS stuff. Is kerberos necessary still? > > > > Some people here are arguing the kerberos is "old" technology and not necessary. > > Others argue about security issue in kerberos. Still others argue that kerberos > > is the only was to support things like secure/token cards. > > The main disadvantage that I saw when I took a look at Kerberos (never > implemented it anywhere, so maybe my view of the situation is poor) is > that it required the hosts that used it to be trusted. Kerberos clients > and servers use encryption to keep their communications away from prying > eyes, but they use a shared secret key, rather than a public/private > keypair like what you see in SSL applications[1]. > > Using a shared secret key limits the places you can implement Kerberos. > You can't have all of your users going around with their laptops. Or, > maybe you can, but everyone has to have the same secret key. This is > similar to the problem with WEP encryption and public networks. It's > essentially useless since everyone knows what the key is. No this is not true. Each user has his own kerberos password. This is used to login to the kerberos server. Additionally, each host has its own keytab file that's used for incoming services. For instance, if I want to ktelnet to a box, that box must have a keytab file and the appropriate services enabled on the box. The keytab file is created by a kerberos admin. If it gets changed on the host, but is not updated on the kerberos server, it will not work. I use kerberos every day at work, in conjuction with AFS and RSA SecurID cards. I use kerberos to admin about 50 linux boxes, by ktelnet'ing into them (with encryption). We use AFS for shared file storage, which requires a kerberos password and a SecurID pin. The SecurID pin is an optional, additional layer of security. I can use kerberos at home as well, to get into my box at work. All I have to do is install the kerberos client and the correct krb5.conf file (and know my kerberos password of course). In fact, all the administrators here do this. And we have a lot of people who travel frequently who do this as well. The weak link is your password - if your password gets stolen, someone could masquerade as you. But, that's true of most authentication protocols. > Additionally, I seem to remember that Kerberos only worries about > authentication. Things like telnet sessions aren't actually encrypted, > IIRC. Even without authentication information, there's a lot of stuff > an attacker could get to if they could only sniff the network. I can't > remember if that's true, though.. Nope, it's not true. Kerberos does authentication AND encryption, although encryption is optional. You can turn on encryption with the -x parameter. Look here: http://web.mit.edu/kerberos/www/krb5-1.2/krb5-1.2.5/doc/user-guide.html#SEC17 You can also set encrypt=true in the [appdefaults] section of your krb5.conf file. > Kerberos, from all I've heard, is still a good system. Unfortunately, > the areas where it can be deployed are limited, and there have to be > ways for untrusted systems to talk to each other without having others > eavesdrop on them. Please give me an example. Why would you want an untrusted system to have access to your secure network? > SSH can be set up to act very similarly to a kerberos installation, from > what I understand, using ssh-agent and public/private identity files. > You can ssh-add an identity, enter your password, and then connect to a > server cluster. If the public part of your identity is properly > installed on the server cluster and agent forwarding is enabled, you can > ssh around without having to enter your password again. Of course, this > only works with SSH (as far as I know), so kerberos still probably wins > out since so many services have been kerberized. > > I guess I'd say that it's the beginning of the end for kerberos, but I'm > sure it'll be around for a long time. Well, if it's any indication, the military uses and requires kerberos, so I expect it to stay around for a long time just because of that. Also, AFS requires it. -- Amy Tanner amy at real-time.com -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 524 bytes Desc: not available Url : http://shadowknight.real-time.com/pipermail/tclug-list/attachments/20020501/4d1083fc/attachment.pgp