1 / 24

Why Kerberos?

Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution-NonCommercial-ShareAlike License. Some Rights Reserved. Why Kerberos?. Kerberos IS. The mythical character. MIT took an idea from Xerox: “The Needham-Schroeder Protocol”

MikeCarlo
Download Presentation

Why Kerberos?

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution-NonCommercial-ShareAlike License. Some Rights Reserved Why Kerberos?

  2. Kerberos IS...

  3. The mythical character

  4. MIT took an idea from Xerox: “The Needham-Schroeder Protocol” Centralized, single sign-on, encrypted logins A Network Authentication Protocol

  5. Required for OpenAFS With Heimdal (from Sweden) you can use Kerberos anywhere Becoming a built-in option Microsoft Active Directory LDAP Fedora Core (PAM) Kerberos is everywhere

  6. If you “kerberize” your service, you can use services that otherwise pass your passwords in the clear. Yes, you can use telnet again

  7. Allows many methods of authentication...

  8. Something that you know Your password

  9. Something that you have... Your Securid

  10. Something that you are... Bio-authentication

  11. Since there are multiple ways of authenticating... Let's just call it secret

  12. Authentication – verifying secrets Authorization – control access Auditing – logging Provides the 3 A's

  13. NOT to be confused with...

  14. Fluffy from Harry Potter

  15. A directory service • Kerberos doesn't know your full name, your favorite shell, or your home address • Use LDAP or NIS(+) WITH Kerberos

  16. Kerberos does encrypt your password.... • But if you are using what you assume to be Kerberos may not be if your your system has been exploited! • Be aware of trojans and key stroke logging

  17. My principal bethlynn@CS.CMU.EDU

  18. My principal's service instances • bethlynn.mail@CS.CMU.EDU • bethlynn.ftp@CS.CMU.EDU • bethlynn.remote@CS.CMU.EDU

  19. My 's administrative instances • bethlynn.admin@CS.CMU.EDU • bethlynn.admin-afs@CS.CMU.EDU • bethlynn.root@CS.CMU.EDU

  20. Single Sign-On • I login to my desktop • After that initial login I'm given a ticket • I can ssh/telnet to other machines on the network without typing a password again! My password is not cached or resent. My ticket allows me to request more tickets.

  21. When I want to be root • I authenticate with my bethlynn.root@CS.CMU.EDU password • Now I have full root privileges on the local host • I can also use this ticket to ssh/telnet to other machines to also be root on them too

  22. What I didn't tell you • How Kerberos works. • MIT vs Heimdal • Who is Cerberus? • How to configure Kerbeors • How OpenAFS uses Kerberos

  23. O'Reilly to the Rescue • “Kerberos The Definitive Guide” by Jason Garman • The Owl book • $34.95

  24. Thanks!

More Related