Presentation on theme: "Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike."— Presentation transcript:
Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike License. Some Rights Reserved
The mythical character
A Network Authentication Protocol ● MIT took an idea from Xerox: “The Needham- Schroeder Protocol” ● Centralized, single sign-on, encrypted logins
Kerberos is everywhere Required for OpenAFS With Heimdal (from Sweden) you can use Kerberos anywhere Becoming a built-in option Microsoft Active Directory LDAP Fedora Core (PAM)
Yes, you can use telnet again If you “kerberize” your service, you can use services that otherwise pass your passwords in the clear.
Allows many methods of authentication...
Something that you know Your password
Something that you have... Your Securid
Something that you are... Bio-authentication
Since there are multiple ways of authenticating... Let's just call it secret
Provides the 3 A's ● Authentication – verifying secrets ● Authorization – control access ● Auditing – logging
NOT to be confused with...
Fluffy from Harry Potter
A directory service ● Kerberos doesn't know your full name, your favorite shell, or your home address ● Use LDAP or NIS(+) WITH Kerberos
Kerberos does encrypt your password.... ● But if you are using what you assume to be Kerberos may not be if your your system has been exploited! ● Be aware of trojans and key stroke logging
My principal 's service instances ● ● ●
My 's administrative instances ● ● ●
Single Sign-On 1) I login to my desktop 2) After that initial login I'm given a ticket 3) I can ssh/telnet to other machines on the network without typing a password again! My password is not cached or resent. My ticket allows me to request more tickets.
When I want to be root ● I authenticate with my password ● Now I have full root privileges on the local host ● I can also use this ticket to ssh/telnet to other machines to also be root on them too
What I didn't tell you ● How Kerberos works. ● MIT vs Heimdal ● Who is Cerberus? ● How to configure Kerbeors ● How OpenAFS uses Kerberos
O'Reilly to the Rescue ● “Kerberos The Definitive Guide” by Jason Garman ● The Owl book ● $34.95