Manualshelf

Specifications

ManualsBrandsApple ManualsComputer equipmentMac OS X Server Command-Line
41424344454647484950
Kerberos was designed to solve network security problems. It never transmits the
users password across the network, nor does it save the password in the users
computer memory or on disk. Therefore, even if the Kerberos credentials are cracked
or compromised, the attacker does not learn the original password, so he or she can
potentially compromise only a small portion of the network.
In addition to superior password management, Kerberos is also mutually
authenticated. The client authenticates to the service, and the service authenticates to
the client. A man-in-the-middle or spoong attack is impossible when you are using
Kerberized services, and that means users can trust the services they are accessing.
Moving Beyond Passwords
Network authentication is dicult: To deploy a network authentication method, the
client and server must agree on the authentication method. Although it is possible for
client/server processes to agree on a custom authentication method, getting pervasive
adoption across a suite of network protocols, platforms, and clients is virtually
impossible.
For example, suppose you wanted to deploy smart cards as a network authentication
method. Without Kerberos, you’d have to change every client/server protocol to
support the new method. The list of protocols includes SMTP, POP, IMAP, AFP, SMB,
HTTP, FTP, IPP, SSH, QuickTime Streaming, DNS, LDAP, local directory domain, RPC, NFS,
AFS, WebDAV, and LPR, and goes on and on.
Considering all the software that does network authentication, deploying a new
authentication method across the entire suite of network protocols would be a
daunting task. Although this might be feasible for software from one vendor, you’d be
unlikely to get all vendors to change their client software to use your new method.
Further, you’d probably also want your authentication to work on multiple platforms
(such as Mac OS X, Windows, and UNIX).
Due to the design of Kerberos, a client/server binary/protocol that supports Kerberos
doesn’t even know how the user proves identity. Therefore you only need to change
the Kerberos client and the Kerberos server to accept a new proof of identity such as a
smart card. As a result, your entire Kerberos network has now adopted the new proof-
of-identity method, without deploying new versions of client and server software.
46 Chapter 3 Open Directory Authentication