NOTE: CentOS Enterprise Linux is built from the Red Hat Enterprise Linux source code. Other than logo and name changes CentOS Enterprise Linux is compatible with the equivalent Red Hat version. This document applies equally to both Red Hat and CentOS Enterprise Linux.
Chapter 19. Kerberos
System security and integrity within a network can be unwieldy.
It can occupy the time of several administrators just to keep track
of what services are being run on a network and the manner in which
these services are used. Moreover, authenticating users to network
services can prove dangerous when the method used by the protocol
is inherently insecure, as evidenced by the transfer of unencrypted
passwords over a network under the FTP and Telnet protocols.
Kerberos is a way to eliminate the need for protocols that allow
unsafe methods of authentication, thereby enhancing overall network
Kerberos, a network authentication protocol created by MIT, uses
symmetric-key cryptography to
authenticate users to network services — eliminating the need
to send passwords over the network. When users authenticate to
network services using Kerberos, unauthorized users attempting to
gather passwords by monitoring network traffic are effectively
Most conventional network services use password-based
authentication schemes. Such schemes require a user to authenticate
to a given network server by supplying their username and password.
Unfortunately, the transmission of authentication information for
many services is unencrypted. For such a scheme to be secure, the
network has to be inaccessible to outsiders, and all computers and
users on the network must be trusted and trustworthy.
Even if this is the case, once a network is connected to the
Internet, it can no longer be assumed that the network is secure.
Any attacker who gains access to the network can use a simple
packet analyzer, also known as a packet sniffer, to intercept
usernames and passwords sent in this manner, compromising user
accounts and the integrity of the entire security
The primary design goal of Kerberos is to eliminate the
transmission of unencrypted passwords across the network. If used
properly, Kerberos effectively eliminates the threat packet
sniffers would otherwise pose on a network.
Although Kerberos removes a common and severe security threat,
it may be difficult to implement for a variety of reasons:
Migrating user passwords from a standard UNIX password database,
such as /etc/passwd or /etc/shadow, to a Kerberos password database can be
tedious, as there is no automated mechanism to perform this task.
For more information, refer to question number 2.23 in the online
Kerberos has only partial compatibility with the Pluggable
Authentication Modules (PAM) system used by most Red Hat Enterprise
Linux servers. For more information about this issue, refer to
Section 19.4 Kerberos and
Kerberos assumes that each user is trusted but is using an
untrusted host on an untrusted network. Its primary goal is to
prevent unencrypted passwords from being sent across that network.
However, if anyone other than the proper user has access to the one
host that issues tickets used for authentication — called the
key distribution center (KDC) — the entire Kerberos authentication
system is at risk.
For an application to use Kerberos, its source must be modified
to make the appropriate calls into the Kerberos libraries.
Applications modified in this way are considered to be kerberized. For some applications, this can be
quite problematic due to the size of the application or its design.
For other incompatible applications, changes must be made to the
way in which the server and client side communicate. Again, this
may require extensive programming. Closed-source applications that
do not have Kerberos support by default are often the most
Kerberos is an all or nothing solution. Once Kerberos is used on
the network, any unencrypted passwords transferred to a
non-kerberized service is at risk. Thus, the network gains no
benefit from the use of Kerberos. To secure a network with
Kerberos, one must either use kerberized versions of all client/server applications which send
unencrypted passwords or not use any such
client/server applications at all.