1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
# Kerberos
Kerberos is a protocol to securely authenticate, encrypt, and do single-sign-on
over an insecure network.
It is widely used to provide authentication in addition to LDAP which provides
a user information directory in organizations.
It is not widely used on the Internet because Kerberos requires a strict time
sync between the server (KDC) and client. Other similar SSO protocols are
preferred on the world-wide-web, for example, OAuth.
Kerberos mutually authenticates the application server (AS, e.g. a HTTP server)
and the user, within a realm, through a ticket-based system, ensuring that the
user's raw credentials are never sent across the network.
Kerberos is extremely complicated, and this is probably another reason why it is
not widely adopted except for enterprise senarios. To mutually authenticate a
user, Kerberos exchanges lots of messages between the client, the key distribution
server (KDC), and the application server (AS). For the complete authentication
process, watch
[youtube.com/watch?v=5N242XcKAsM](https://www.youtube.com/watch?v=5N242XcKAsM).
It is a very good video at explaining Kerberos.
The protocol must explicit support Kerberos authentication (a.k.a. "Kerberize").
Fortunately, many common protocols today do support Kerberos: LDAP, SSH, IMAP,
HTTP, etc. However, Kerberized IMAP are so rare that there are only few clients
supporting them. This differs from TLS which is transparent to the L5 protocol.
As an open protocol, multiple implementations exist.
[Active Directory](../adds/index.md) is the most widely used implementation
today, arguably the only one. The [MIT Krb5](mit.md) is an open-source reference
implementation of Kerberos, and it is very lightweight.
|
