newbie question: machine authentication

Ross Macintyre raz at macs.hw.ac.uk
Thu May 5 11:00:14 EDT 2005


I am a total newbie to Kerberos and I am just trying to get things
straight in my head before going ahead and using it.
I work in a University and look after a number of lab machines,
which just plug into the network, but can easily be unplugged.
We do have port-based security on our switches but I am aware how
easy it is to change the MAC address.

Reading about kerberos I understand that it is a very secure way of
authenticating a user on a network. There is however something that I am
unsure of. Basically, are the *machines* on the network authenticated too?
That is, does each machine have an encrypted key somewhere that identifies
itself.

My reason for asking is that I am worried that if someone disconnects
one of my lab machines and connects their own machine, which has been
frigged to look like the disconnected machine, then in some way, the
person who has done this will be able to access *something* on the
network.
Of course maybe I needn't worry at all anyway. If someone did connect
another machine and masquerade as my machine perhaps there is little they
could do, because they would then need to authenticate as a user,
and without the user password, they could access nothing on the network?
Still I would like to know if there is some form of the machine
'registering' when it boots, and if so, is there some daemon that
updates a ticket or something?
I guess that Windows networks work in this way and that when a Windows
machine boots it somehow authenticates with the Domain Controller?

I am asking this question because I am aware that in our current
setup, masquarading as another machine lets the user of the bogus
machine become any user on that machine and thus lets them access
any files exported to that machine, and this is what I am trying
to avoid.

I hope these questions don't sound too dumb, but the O'Reilly Guide
on Kerberos is a bit heavy going in places and I couldn't quite get
the idea of the authenticity of a machine clear in my head.
Is there such a thing?
Any pointers at URLs, FAQs, or plain help much appreciated.
Thanks in advance,

Ross


-- 
Ross Macintyre (raz at macs.hw.ac.uk)



More information about the Kerberos mailing list