Kerberos does not send passwords in the clear or encrypted — in fact, it uses a three-part key-based scheme to authenticate services (mail, sign-on, file services, etc) along with a KDC Server to NEVER SEND THE PASSWORD OVER THE NETWORK. This is done entirely invisible to the user, who is presented with one log-in (the OS X log-in window).

In reality most services these days store passwords– Mail, and other e-mail apps, AFP connections, etc. (Which means mostly people just need to sign-on once anyway.)

Whether or not the service is authenticated using kerberos depends on if the service running on the client and server have been implemented kerberized, or made compatible with the Kerberos authentication methods described here. With regard to Apples products, the client and the server, most of services with OS 10.4 can be used with a KDC server in this environment.

The general implementation is to enable kerberos on the Server (that is, the service running on the server). In many cases you can (and are advised by apple if appropriate) only enable kerberos authentication for a particular service which is safest. Remember that the configuration also requires setting up a KDC Server in a multiuser environment. With few exceptions, for many services there is nothing to configure on the client machine.

Kerberos is designed to be invisible to the user when setup on both the client and servers.

Kerberos is designed for larger workgroups, but at a minimum the advising technologist should keep in mind these needed components: a KDC server and services (Mail, Web, iChat, Quicktime, DNS, DHCP, etc) running on a server. As well, of course, each client user has a Mac OS X computer running Mac OS X Client.

By securely sending only tickets and requests for tickets across the network, you configure the three components to each share eachothers encryption keys, but not evenly.

The client shares a key with the KDC server; The KDC server shares another key with the service thats authenticating. An excellent training video found in Chapter 6 of the CD companation to the book Mac OS X Server Essentials (Regan, Schoun, et al) visualizes the process from here. What is important for a technologist to know is that the password never gets sent over the network– only highly encrypted tickets, which get sent back and forth between the three entities in a trust-me game. When properly setup the client sees none of it and the authentication works. (Remember, to work all this requires a special KDC server, requires that service support Kerberos and Kerberos authentication is enabled, and Kerberos must be implemented in the version of the client.)

Kerberos was first incorporated into the line in Mac OS X Server 10.2. At that operating system, the kerberized services were: Login, mail, FTP, AFP, and SSH.

Kerberos was developed at MIT. Its name comes from greek mythology (alternatively spelled Cerberus) for the three-headed guard dog at the gates of Hades, the underworld.

By Jason

Leave a Reply

Your email address will not be published. Required fields are marked *