Why Kerberos? - PowerPoint PPT Presentation

About This Presentation
Title:

Why Kerberos?

Description:

Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution-NonCommercial-ShareAlike License. – PowerPoint PPT presentation

Number of Views:57
Avg rating:3.0/5.0
Slides: 25
Provided by: csCmuEdu47
Learn more at: http://www.cs.cmu.edu
Category:
Tags: harry | kerberos | potter

less

Transcript and Presenter's Notes

Title: Why Kerberos?


1
Why Kerberos?
  • Presented by Beth Lynn Eicher
  • CPLUG Security Conference
  • March 5, 2005
  • Released Under The Creative Commons
    Attribution-NonCommercial-ShareAlike License.
  • Some Rights Reserved

2
Kerberos IS...
3
The mythical character
4
A Network Authentication Protocol
  • MIT took an idea from Xerox The
    Needham-Schroeder Protocol
  • Centralized, single sign-on, encrypted logins

5
Kerberos is everywhere
  • Required for OpenAFS
  • With Heimdal (from Sweden) you can use Kerberos
    anywhere
  • Becoming a built-in option
  • Microsoft Active Directory
  • LDAP
  • Fedora Core (PAM)

6
Yes, you can use telnet again
  • If you kerberize your service, you can use
    services that otherwise pass your passwords in
    the clear.

7
Allows many methods of authentication...
8
Something that you know
  • Your password

9
Something that you have...
  • Your Securid

10
Something that you are...
  • Bio-authentication

11
Since there are multiple ways of authenticating...
  • Let's just call it secret

12
Provides the 3 A's
  • Authentication verifying secrets
  • Authorization control access
  • Auditing logging

13
NOT to be confused with...
14
Fluffy from Harry Potter
15
A directory service
  • Kerberos doesn't know your full name, your
    favorite shell, or your home address
  • Use LDAP or NIS() WITH Kerberos

16
Kerberos does encrypt your password....
  • But if you are using what you assume to be
    Kerberos may not be if your your system has been
    exploited!
  • Be aware of trojans and key stroke logging

17
My principal
  • bethlynn_at_CS.CMU.EDU

18
My principal's service instances
  • bethlynn.mail_at_CS.CMU.EDU
  • bethlynn.ftp_at_CS.CMU.EDU
  • bethlynn.remote_at_CS.CMU.EDU

19
My 's administrative instances
  • bethlynn.admin_at_CS.CMU.EDU
  • bethlynn.admin-afs_at_CS.CMU.EDU
  • bethlynn.root_at_CS.CMU.EDU

20
Single Sign-On
  • I login to my desktop
  • After that initial login I'm given a ticket
  • I can ssh/telnet to other machines on the
    network without typing a password again!
  • My password is not cached or resent.
  • My ticket allows me to request more tickets.

21
When I want to be root
  • I authenticate with my bethlynn.root_at_CS.CMU.EDU
    password
  • Now I have full root privileges on the local host
  • I can also use this ticket to ssh/telnet to other
    machines to also be root on them too

22
What I didn't tell you
  • How Kerberos works.
  • MIT vs Heimdal
  • Who is Cerberus?
  • How to configure Kerbeors
  • How OpenAFS uses Kerberos

23
O'Reilly to the Rescue
  • Kerberos The Definitive Guide by Jason Garman
  • The Owl book
  • 34.95

24
Thanks!
Write a Comment
User Comments (0)
About PowerShow.com