Add Kerberos

1 files changed, 32 insertions, 0 deletions

diff --git a/docs/sysadmin/iam/kerberos/index.md b/docs/sysadmin/iam/kerberos/index.md
index 4ad8504..88f3f37 100644
--- a/docs/sysadmin/iam/kerberos/index.md
+++ b/docs/sysadmin/iam/kerberos/index.md
@@ -1 +1,33 @@
 # Kerberos
+
+Kerberos is a protocol to securely authenticate, encrypt, and do single-sign-on
+over an insecure network.
+
+It is widely used to provide authentication in addition to LDAP which provides
+a user information directory in organizations.
+
+It is not widely used on the Internet because Kerberos requires a strict time
+sync between the server (KDC) and client. Other similar SSO protocols are
+preferred on the world-wide-web, for example, OAuth.
+
+Kerberos mutually authenticates the application server (AS, e.g. a HTTP server)
+and the user, within a realm, through a ticket-based system, ensuring that the
+user's raw credentials are never sent across the network.
+
+Kerberos is extremely complicated, and this is probably another reason why it is
+not widely adopted except for enterprise senarios. To mutually authenticate a
+user, Kerberos exchanges lots of messages between the client, the key distribution
+server (KDC), and the application server (AS). For the complete authentication
+process, watch
+[youtube.com/watch?v=5N242XcKAsM](https://www.youtube.com/watch?v=5N242XcKAsM).
+It is a very good video at explaining Kerberos.
+
+The protocol must explicit support Kerberos authentication (a.k.a. "Kerberize").
+Fortunately, many common protocols today do support Kerberos: LDAP, SSH, IMAP,
+HTTP, etc. However, Kerberized IMAP are so rare that there are only few clients
+supporting them. This differs from TLS which is transparent to the L5 protocol.
+
+As an open protocol, multiple implementations exist.
+[Active Directory](../adds/index.md) is the most widely used implementation
+today, arguably the only one. The [MIT Krb5](mit.md) is an open-source reference
+implementation of Kerberos, and it is very lightweight.