Kerberos vs. LDAP for authentication -- any opinions?

[Dan Geer]

    > And what prevents a Kerberos server from being compromised? Any
    > system can have a root-kit installed on it.

I am hoping that this is not flame bait...

Clearly, unless you want to reinvent the classic idea
of provably correct systems, you will/must make some
tradeoffs in the real world because provable security
is never affordable just as affordable security is
never provable.

As such, single purpose machines running open-source
security code on stripped platforms, watched like a
hawk by competent paranoids, and speaking only well
beaten crypto over well beaten protocols will win.
Kerberos fits that bill to a Tee; you can bust into
the inner sanctum, grab the KDC, and dive out the
window into your waiting getaway vehicle only to
discover that what you have is a brick.  You can try to
remotely attack it and install whatever you want, but
there is very little attack surface plus you'll have to
be smarter/luckier than the several hundred genuine
worthies who've already come up dry.  If you want to
find something to fear in a large scale Kerberos plant,
fear keystroke capture on serially reusable client
machines or the ever-available "key purchase" attack.

--dan