Questions tagged [kerberos]

Kerberos is a network authentication protocol designed to allow nodes, communicating over a non-secure network, to prove their identity to one another in a secure manner.

152 questions
37
votes
5 answers

Why do I need Kerberos when I could just use a username and password to access services?

I have read that Kerberos is used for authenticating users who wish to access services on various servers in an enterprise network, but I still do not understand the purpose of Kerberos. Why doesn't the system admin just create a user account for…
Minaj
  • 1,536
  • 2
  • 14
  • 23
28
votes
2 answers

Kerberos vs. LDAP for authentication -- which one is more secure

Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment? And Can we switch between them transparently?
Ijaz Ahmad
  • 1,592
  • 1
  • 11
  • 20
16
votes
2 answers

Kerberos authentication over the public internet

What are the threats to having the KDC accessible via the internet for remote clients? It's my understanding that the authentication is a challenge/response protocol and that the password is never transmitted. Are brute force attacks the reason…
Richard Salts
  • 363
  • 1
  • 2
  • 11
15
votes
2 answers

Does the Kerberos KDC know the users' plaintext passwords?

In http://www.freebsd.org/doc/handbook/kerberos5.html section 15.7.8.3 “The KDC is a Single Point of Failure” you can read: By design, the KDC must be as secure as the master password database is contained on it. The KDC should have absolutely no…
mgd
  • 555
  • 2
  • 5
  • 9
13
votes
1 answer

SAML and kerberos what to use where

I came across SAML and kerberos, both are used to establish identity using assertions (tickets) so is there an overlap in their use ? Can somebody highlight their differences and point which technology is a better fit where. thanks update to add…
mzzzzb
  • 269
  • 1
  • 2
  • 6
12
votes
1 answer

Are there any reasons for Kerberos being based on symmetric cryptography?

Kerberos is an authentication protocol that is famously built using only symmetric ciphers. As a direct result of this, there are several attacks possible, such as AS-REP Roasting AS-REQ Roasting Kerberoasting Silver Tickets Golden Tickets While…
user163495
9
votes
2 answers

Preventing LSASS from storing clear-text passwords in Kerberos environment

It is a well known security risk that LSASS stores clear-text passwords if a user has performed a keyboard-interactive logon on a machine - be it local login to his/her workstation or using RDP to a remote workstation. There is also a classic fix to…
Konrads
  • 589
  • 1
  • 5
  • 15
9
votes
2 answers

What's the difference between Radius and Kerberos?

Is Radius just a better version of Kerberos? I can't find anything about this. If you set up a Radius server in a modern network do you need Kerberos at all?
User104163
  • 409
  • 2
  • 6
  • 11
8
votes
1 answer

Kerberos Attacks Questions

It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details. My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough. Anyway, here are the…
7
votes
1 answer

Relative merits of Heimdal and MIT Kerberos?

What are the relative advantages of Heimdal and MIT Kerberos now MIT is freely exportable? Ones I've come across so far that might be relevant to my particular project is that it seems MIT supports constrained delegation in the GSS-API layer and…
armb
  • 622
  • 4
  • 9
7
votes
2 answers

Implications of having a service account in AD use RC4 rather than AES for Kerberos?

Bear with me, I know this is sloppy, but here is the back story: We have a partner that uses Jira and is using spnego with a custom auth back-end that expects certain group membership in the token. Assuming the presented token meets the…
MDMarra
  • 325
  • 3
  • 13
7
votes
1 answer

Connecting via SPNEGO/Kerberos out from domain

Is it possible to authenticate to SPNEGO/Kerberos server in domain A with an account from the same domain (obviously) when the client is connecting from computer in one of the following (quite similar) situations: client is authenticated to domain…
Pavel Horal
  • 171
  • 6
7
votes
2 answers

Kerberos - what can an attacker achieve from a replay attack?

On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the server can verify a message is fresh, and that…
hmmm...
6
votes
3 answers

Is SESAME really used in Europe?

I am looking at a text that mentions that the Secure European System for Applications in a Multi-vendor Environment (SESAME) was designed to address some of Kerberos weakness, with enhancements such as: Use of asymmetric cryptography Distributed…
ixe013
  • 1,912
  • 15
  • 20
6
votes
2 answers

Can a Kerberos application server offer to proxy connections to the KDC?

As I understand it, when a client wants to authenticate to an application server using Kerberos it must first request a service ticket from the KDC (and possibly a ticket-granting-ticket if it does not already have one). For scenarios where the…
9072997
  • 233
  • 1
  • 8
1
2 3
10 11