Uses of kerberos?

Mark H. Wood mwood at mhw.ULib.IUPUI.Edu
Mon May 6 12:37:50 EDT 2002 

Dustin <dustin_dortch at hotmail.com> wrote:
> I think Töns hit it pretty dead on.  The main differences with
> MS-Kerberos have to do with the PAC, which is essentially a "ticket"
> to access resources.  In a Windows NT 4.0 domain, for example, you
> authenticate to the PDC/BDC, and then try to access a resource.  Once
> you request a resource, the server providing the resource will ask the
> PDC/BDC for verification of your authentication credentials.  This
> creates redundant traffic, and exposes many security holes.  In this
> scenario, you are giving your username and password to the server. 
> This is inherently unsafe.  This server could be "masquerading" on the
> network just to record your credentials.

Um?  When a host joins an NT domain, an account is created for the
host itself in the SAM on the PDC, and they exchange passwords by
which future contacts may be authenticated.  The initial exchange is
guarded by requiring a trusted introducer, in the form of an account
known to the PDC and holding the privilege of creating new machine
accounts -- that is, the sysadmin who is joining the new member to the
domain, who provides his password to bless the union.  All of this
takes place within a so-called Secure Channel, which isn't really
explained very well, but altogether it sounds quite a lot like
Kerberos.

Indeed, the more I study the two, the more I become convinced that
using Kerberos was a natural evolution for Microsoft's domain setup
because they were already doing mostly the same sort of stuff and just
needed to change a few details to become at least minimally
interoperable with a popular standard.  They may be highly significant
details, but the conceptual framework is not so different.  There are
only so many reasonable ways to achieve the goals involved in secure
provision of distributed services.

I'm also not too sure that presenting credentials to services is all
that different.  Under Kerberos, you go back to the KDC to get a
service ticket which you then present to the server.  Under NTLM you
apparently go to the server, which then checks with the PDC.  The path
taken by the information is different but the traffic level seems
comparable.  What did I miss?

-- 
Mark H. Wood, Lead System Programmer   mwood at IUPUI.Edu
MS Windows *is* user-friendly, but only for certain values of "user".

More information about the Kerberos mailing list