The Internet is an insecure place. Many of the protocols used in the Internet do not provide any security. Tools to sniff passwords off of the network are in common use by malicious hackers. Thus, applications which send an unencrypted password over the network are extremely vulnerable. Worse yet, other client/server applications rely on the client program to be honest about the identity of the user who is using it. Other applications rely on the client to restrict its activities to those which it is allowed to do, with no other enforcement by the server.
Some sites attempt to use firewalls to solve their network security problems. Unfortunately, firewalls assume that the bad guys are on the outside, which is often a very bad assumption. Most of the really damaging incidents of computer crime are carried out by insiders. Firewalls also have a significant disadvantage in that they restrict how your users can use the Internet. (After all, firewalls are simply a less extreme example of the dictum that there is nothing more secure then a computer which is not connected to the network and powered off!) In many places, these restrictions are simply unrealistic and unacceptable.
Kerberos was created by MIT (Massachusetts Institute of Technology) as a solution to these network security problems. Kerberos is the name of a computer network authentication protocol which allows individuals communicating over a non-secure network to prove their identity to one another in a secure manner. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection.
Briefly and approximately, heres how Kerberos works:
1> Suppose you want to access a server on another computer (which you may get to by sending a Telnet or similar login request). You know that this server requires a Kerberos ticket before it will honor your request.
2>To get your ticket, you first request authentication from the Authentication Server (AS). The Authentication Server creates a session key (which is also an encryption key) basing it on your password (which it can get from your user name) and a random value that represents the requested service. The session key is effectively a ticket-granting ticket.
3>You next send your ticket-granting ticket to a ticket-granting server (TGS). The TGS may be physically the same server as the Authentication Server, but its now performing a different service.
4->The TGS returns the ticket that can be sent to the server for the requested service.The service either rejects the ticket or accepts it and performs the service.Because the ticket you received from the TGS is time-stamped, it allows you to make additional
requests using the same ticket within a certain time period (typically, eight hours) without having to be re authenticated. Making the ticket valid for a limited time period make it less likely that someone else will be able to use it later.
5>After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.
Kerberos is freely available from MIT, under copyright permissions very similar those used for the BSD operating system and the X Window System. MIT provides Kerberos in source form so that anyone who wishes to use it may look over the code for themselves and assure themselves that the code is trustworthy. In addition, for those who prefer to rely on a professionally supported product, Kerberos is available as a product from many different vendors.
In summary, Kerberos is a solution to your network security problems. It provides the tools of authentication and strong cryptography over the network to help you secure your information systems across your entire enterprise.
Article Authored by Aji
Author, Aji, is a Systems Engineer with SupportPRO. Aji specializes in Cpanel and Linux servers. SupportPRO offers 24X7 technical support services to Web hosting companies and service providers.
If you require help, contact SupportPRO Server Admin
