40.0 Network Authentication—Kerberos
An open network provides no means to ensure that a workstation can identify
its users properly except the usual password mechanisms. In common
installations, the user must enter the password each time a service inside
the network is accessed. Kerberos provides an authentication method with
which a user registers once then is trusted in the complete network
for the rest of the session. To have a secure network, the following
requirements must be met:
-
Have all users prove their identity for each desired service and make
sure that no one can take the identity of someone else.
-
Make sure that each network server also proves its identity. Otherwise an
attacker might be able to impersonate the server and obtain sensitive
information transmitted to the server. This concept is called
mutual authentication, because the client
authenticates to the server and vice versa.
Kerberos helps you meet these requirements by
providing strongly encrypted authentication. The following shows how this is
achieved. Only the basic principles of Kerberos
are discussed here. For detailed technical instruction, refer to the
documentation provided with your implementation of
Kerberos.