diff options
author | Yuuta Liang <yuuta@yuuta.moe> | 2023-11-16 17:49:48 -0800 |
---|---|---|
committer | Yuuta Liang <yuuta@yuuta.moe> | 2023-11-16 17:49:48 -0800 |
commit | ad221e5ef7d428fae94c7144f40d7bddc7c39109 (patch) | |
tree | e9b67bba61bf58b61875b79efd520bbfb48d27bd | |
parent | d3d5848a5f6d0a4d55f194972a158795c286d818 (diff) | |
download | kb-ad221e5ef7d428fae94c7144f40d7bddc7c39109.tar kb-ad221e5ef7d428fae94c7144f40d7bddc7c39109.tar.gz kb-ad221e5ef7d428fae94c7144f40d7bddc7c39109.tar.bz2 kb-ad221e5ef7d428fae94c7144f40d7bddc7c39109.zip |
Add Kerberos
-rw-r--r-- | docs/sysadmin/iam/kerberos/index.md | 32 |
1 files changed, 32 insertions, 0 deletions
diff --git a/docs/sysadmin/iam/kerberos/index.md b/docs/sysadmin/iam/kerberos/index.md index 4ad8504..88f3f37 100644 --- a/docs/sysadmin/iam/kerberos/index.md +++ b/docs/sysadmin/iam/kerberos/index.md @@ -1 +1,33 @@ # Kerberos + +Kerberos is a protocol to securely authenticate, encrypt, and do single-sign-on +over an insecure network. + +It is widely used to provide authentication in addition to LDAP which provides +a user information directory in organizations. + +It is not widely used on the Internet because Kerberos requires a strict time +sync between the server (KDC) and client. Other similar SSO protocols are +preferred on the world-wide-web, for example, OAuth. + +Kerberos mutually authenticates the application server (AS, e.g. a HTTP server) +and the user, within a realm, through a ticket-based system, ensuring that the +user's raw credentials are never sent across the network. + +Kerberos is extremely complicated, and this is probably another reason why it is +not widely adopted except for enterprise senarios. To mutually authenticate a +user, Kerberos exchanges lots of messages between the client, the key distribution +server (KDC), and the application server (AS). For the complete authentication +process, watch +[youtube.com/watch?v=5N242XcKAsM](https://www.youtube.com/watch?v=5N242XcKAsM). +It is a very good video at explaining Kerberos. + +The protocol must explicit support Kerberos authentication (a.k.a. "Kerberize"). +Fortunately, many common protocols today do support Kerberos: LDAP, SSH, IMAP, +HTTP, etc. However, Kerberized IMAP are so rare that there are only few clients +supporting them. This differs from TLS which is transparent to the L5 protocol. + +As an open protocol, multiple implementations exist. +[Active Directory](../adds/index.md) is the most widely used implementation +today, arguably the only one. The [MIT Krb5](mit.md) is an open-source reference +implementation of Kerberos, and it is very lightweight. |