Kerberos is a network authentication protocol designed to allow nodes, communicating over a non-secure network, to prove their identity to one another in a secure manner.
Questions tagged [kerberos]
152 questions
37
votes
5 answers
Why do I need Kerberos when I could just use a username and password to access services?
I have read that Kerberos is used for authenticating users who wish to access services on various servers in an enterprise network, but I still do not understand the purpose of Kerberos. Why doesn't the system admin just create a user account for…
Minaj
- 1,536
- 2
- 14
- 23
28
votes
2 answers
Kerberos vs. LDAP for authentication -- which one is more secure
Can anyone describe/outline the relative merits of using Kerberos or LDAP for authentication in a large heterogeneous environment?
And
Can we switch between them transparently?
Ijaz Ahmad
- 1,592
- 1
- 11
- 20
16
votes
2 answers
Kerberos authentication over the public internet
What are the threats to having the KDC accessible via the internet for remote clients?
It's my understanding that the authentication is a challenge/response protocol and that the password is never transmitted. Are brute force attacks the reason…
Richard Salts
- 363
- 1
- 2
- 11
15
votes
2 answers
Does the Kerberos KDC know the users' plaintext passwords?
In http://www.freebsd.org/doc/handbook/kerberos5.html section 15.7.8.3 “The KDC is a Single Point of Failure” you can read:
By design, the KDC must be as secure as the master password database is contained on it. The KDC should have absolutely no…
mgd
- 555
- 2
- 5
- 9
13
votes
1 answer
SAML and kerberos what to use where
I came across SAML and kerberos, both are used to establish identity using assertions (tickets) so is there an overlap in their use ?
Can somebody highlight their differences and point which technology is a better fit where.
thanks
update to add…
mzzzzb
- 269
- 1
- 2
- 6
12
votes
1 answer
Are there any reasons for Kerberos being based on symmetric cryptography?
Kerberos is an authentication protocol that is famously built using only symmetric ciphers.
As a direct result of this, there are several attacks possible, such as
AS-REP Roasting
AS-REQ Roasting
Kerberoasting
Silver Tickets
Golden Tickets
While…
user163495
9
votes
2 answers
Preventing LSASS from storing clear-text passwords in Kerberos environment
It is a well known security risk that LSASS stores clear-text passwords if a user has performed a keyboard-interactive logon on a machine - be it local login to his/her workstation or using RDP to a remote workstation.
There is also a classic fix to…
Konrads
- 589
- 1
- 5
- 15
9
votes
2 answers
What's the difference between Radius and Kerberos?
Is Radius just a better version of Kerberos? I can't find anything about this.
If you set up a Radius server in a modern network do you need Kerberos at all?
User104163
- 409
- 2
- 6
- 11
8
votes
1 answer
Kerberos Attacks Questions
It's amazing how many "Attacks on Kerberos" articles exist out there and almost none really explains the small details.
My guess is that usually they assume it's basic knowledge and sometimes, they just don't know enough.
Anyway, here are the…
Trigosin Darom
- 81
- 1
7
votes
1 answer
Relative merits of Heimdal and MIT Kerberos?
What are the relative advantages of Heimdal and MIT Kerberos now MIT is freely exportable?
Ones I've come across so far that might be relevant to my particular project is that it seems MIT supports constrained delegation in the GSS-API layer and…
armb
- 622
- 4
- 9
7
votes
2 answers
Implications of having a service account in AD use RC4 rather than AES for Kerberos?
Bear with me, I know this is sloppy, but here is the back story:
We have a partner that uses Jira and is using spnego with a custom auth back-end that expects certain group membership in the token. Assuming the presented token meets the…
MDMarra
- 325
- 3
- 13
7
votes
1 answer
Connecting via SPNEGO/Kerberos out from domain
Is it possible to authenticate to SPNEGO/Kerberos server in domain A with an account from the same domain (obviously) when the client is connecting from computer in one of the following (quite similar) situations:
client is authenticated to domain…
Pavel Horal
- 171
- 6
7
votes
2 answers
Kerberos - what can an attacker achieve from a replay attack?
On the last step of Kerberos, the client sends the target server a ticket and an authenticator. One of the authenticator's parts is a timestamp. The timestamp is said to prevent replay attacks, as the server can verify a message is fresh, and that…
hmmm...
6
votes
3 answers
Is SESAME really used in Europe?
I am looking at a text that mentions that the Secure European System for Applications in a Multi-vendor Environment (SESAME) was designed to address some of Kerberos weakness, with enhancements such as:
Use of asymmetric cryptography
Distributed…
ixe013
- 1,912
- 15
- 20
6
votes
2 answers
Can a Kerberos application server offer to proxy connections to the KDC?
As I understand it, when a client wants to authenticate to an application server using Kerberos it must first request a service ticket from the KDC (and possibly a ticket-granting-ticket if it does not already have one). For scenarios where the…
9072997
- 233
- 1
- 8