Kerberos and integrated login

Luke Howard lukeh at PADL.COM
Thu Jan 16 02:19:44 EST 2003


>	Thanks for the reply. The point you mention above though is
>not a very good one - by choosing Kerberos itself, one is exposing oneself
>to a single point of security failure - the KDC. So if one has already
>accepted that risk, then the directory is not an increased exposure -
>particularly if one goes the DCE integrated login server route where there
>is no centralized single point of failure (unlike LDAP).

There are two issues here and I think you may be confusing them.

The first is the issue of availability: it makes sense to make both
the authorization and authentication services highly available. 
Both the KDC and LDAP service may be replicated, and some algorithm
used by the client in order to select a replica.

Indeed, one advantage of an integrated KDC and LDAP server is that
directory servers often have optimised replication protocols, and
thus one gets replication of Kerberos principal data "for free".

The second is the concern oft expressed on this mailing list that
a directory server is more likely to be compromised than a KDC, 
because it is storing general purpose directory information.
As such, the argument goes, the exposure risk is greater if
Kerberos keys are stored in the directory.

I would posit that it's actually more secure to have a single
repository for such information and to take whatever steps
necessary to secure it, as administration becomes more or less
atomic. Indeed, given the current tendency towards storing
cleartext passwords in directories in order to support digest SASL
mechanisms, I'd prefer a good string2key algorithm any day :-)

-- Luke

--
Luke Howard | PADL Software Pty Ltd | www.padl.com



More information about the Kerberos mailing list