What is Kerberos?

The following section was excerpted from the MIT Kerberos release page.

Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.

The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to "sniff" passwords off of the network are in common use by malicious hackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/server applications rely on the client program to be "honest" about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.

Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that "the bad guys" are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network --- and powered off!) In many places, these restrictions are simply unrealistic and unacceptable.

Kerberos was created by MIT as a solution to these network security problems. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.

How does Kerberos work?

The very short version of the answer to this question is as follows: you provide a username and password to whatever your Kerberos authentication front-end happens to be - Network Identity Manager for Microsoft Windows, the Kerberos application for Mac OS X, the
kinit
command in Linux - and as a result, you are granted a kerberos "ticket" that gets you into other services that use Kerberos for authentication.

A good introduction that is slightly more detailed can be found at The Moron's Guide to Kerberos. Despite the name, this is definitely worth a read.

An example of authenticating using Kerberos

For the following example, I'll use Mac OS X as the operating system, but please don't tune out this section if you don't use a Mac: the information here is applicable to all platforms.

Mac OS X comes equipped with Kerberos by default, although it isn't hooked into the local login process you see when you start your Mac. At CSAIL we will probably configure your Mac to automatically do all the Kerberos magic behind the scenes so you don't have to manually authenticate; but it's still good for you to have a vague idea of what's going on under the hood.

Once I've logged into my local user account on my Mac - assuming I don't have automatic login enabled so I don't have to deal with all those pesky passwords - I open up the Kerberos application, which is located in
/System/Library/CoreServices/Kerberos
and usually has an alias at
/Applications/Utilities/Kerberos
:

Kerberos control panel

In the image shown above, you can see that there is a setting for a REALM. Realm is a term used in Kerberos to describe an organizational group, sort of like a domain. MIT has its own realm, which is called ATHENA.MIT.EDU. CSAIL's realm is called CSAIL.MIT.EDU. Strictly speaking, a realm name does not have to be the same as the DNS domain name, but a lot of realms make it that way for simplicity's sake.

Also notice that there are several checkboxes that are checked, and in particular there is one that says "Get tickets that can be renewed for:" This setting is important because of one important Kerberos Fact:

KERBEROS CREDENTIALS EXPIRE AFTER A WHILE.

This fact is due to a security measure that Kerberos uses to prevent a malicious person from stealing a user's credentials. Since credentials expire, it helps minimize the window of opportunity that an attacker has to do damage with ill-gotten credentials. The shorter the lifetime of the credentials, the smaller that window of opportunity is. Of course, it also decreases the convenience to the user.

Some people are used to turning on their computer and never having to log in or type passwords, especially Macintosh users. However, in a large computing environment that is constantly being probed for just such a weak link, this is not an available luxury. We've struck a middle ground with our Kerberos realm that we think maintains a reasonable balance between security and convenience: we allow users to "renew" their credentials for up to one week. By default, CSAIL Kerberos tickets expire after ten hours, but at any point during that ten hours, a user can renew them for another ten hours; and so on, until seven days have passed.

The nice thing about the Kerberos application on Mac OS X, Network Identity Manager in Microsoft Windows, and other facilities for the CSAIL GNU/Linux distro, is that they can renew your tickets automatically for you. Just keep in mind that the longer you let your credentials hang around, the greater the risk you take that someone can steal your credentials and destroy - or, even worse - steal or subtly alter your files. It's your choice where you want to be in the continuum of security and convenience.

-- JasonDorfman - 16 Nov 2006
Topic revision: 23 Jun 2008, ArthurProkosch
 

MIT Computer Science and Artificial Intelligence Laboratory

 

  • About CSAIL
  • Research
  • News + Events
  • Resources
  • People

This site is powered by Foswiki MIT: Massachusetts Institute of Technology