High level thoughts on justifying the use of Kerberos

Raymond M Schneider ray at securityfoo.net
Sun Mar 16 21:32:06 EST 2003


On Sun, Mar 16, 2003 at 05:52:12PM -0800, Mike wrote:
> I'm getting ready to propose the use of Kerberos in our division. 
> I've done some reading up on the subject and in general I like what I
> see.  However, I have this nagging thought in my head that my
> management and some of the network weenies will have reservations.
>
Good! Kerberos is a pretty fair way to go if you are going to use a trusted
third party model for your authentication. Keep in mind kerberos is an
authentication method, and not an "authorization" method. That is, 
depending on your needs you may have to layout a plan for handling 
authorization for your systems. (ie. Just because someone has a krb5 ticket,
meaning they have succesfully authenticated, doesn't mean that person should
be allowed on machine X.)

> My question is to formalize a list of the benefits and risks of
> implementing Kerberos.  Specifically, are there things that I should
> be worried about?  I know this is very open ended and somewhat vague
> but that's my starting point on the issue.  I want to try to head off
> any FUD attacks and also want to understand the implications of what
> I'm proposing.
> 
Hmm. Heres some of my thoughts on a list for you:

Benefits:
Centralized authentication mechanism
Support for Windows, MAC, UNIXes of various flavors...
Encryption

Risks:
Its centralized.. if the KDC is exploited all bets are off.


Thats a short list, Im sure I could come up with more as could others.. but
Im a little short on time this evening. ;) Good luck, I would expect your
management to welcome kerberos, even the network folks shouldnt really be
bothered. I cant imagine why they would care one way or another.. its just
a couple of ports. ;)


More information about the Kerberos mailing list