Grant Taylor <gtay...@tnetconsulting.net> writes: > I've been around, but largely ignored, Kerberos for years. As I'm now > investigating doing things with it, and really liking what I'm seeing, > I'm starting to wonder if there are any security guidelines about > where it's safe to use Kerberos.
Always. But like any security system, you have to set it up right. > It's my (mis?)understanding that communications between Kerberos > clients and the KDC are in the clear (but do not include the > password), and that there is functionally no communications between a > remote server and the KDC. No, communication isn't in the clear. It may provide some intuition of what Kerberos communicates (though is no longer entirely technically accurate) to look at https://web.mit.edu/Kerberos/www/dialogue.html The biggest concern in a new Kerberos deployment is secrets being based on passwords. To varying degrees, this reduces the strength of the system as a whole to the strength of the passwords. In the system proposed in the dialogue above, for instance, it's possible to observe an exchange and mount an offline dictionary attack against it. More information on mitigating that (which isn't too hard) can be found here: https://web.mit.edu/kerberos/krb5-devel/doc/admin/dictionary.html#dictionary > As such, I'm wondering if it would be relatively safe enough to use > Kerberos to authenticate to a VPS in the cloud when both the client > and KDC are on the LAN. I think Kerberized SSH would be the only > Kerberos related traffic across the Big Bad Internet to the VPS. Is > this correct? See above. > Can anyone point me to some general reading that any /a ll Kerberos > n00b should read? (I've been following How-Tos and gotten a lot to > work.) It's worth mentioning that there are turnkey solutions for configuring entire identity management systems (i.e., including Kerberos) now. For instance, we develop FreeIPA ( https://www.freeipa.org/ ), which will mitigate these threats by default. Thanks, --Robbie
signature.asc
Description: PGP signature
________________________________________________ Kerberos mailing list Kerberos@mit.edu https://mailman.mit.edu/mailman/listinfo/kerberos