
Explain like I’m 5: Kerberos (2013) - minisys
http://www.roguelynn.com/words/explain-like-im-5-kerberos/
======
sur5r
Seems like no one remembers
[https://web.mit.edu/kerberos/dialogue.html](https://web.mit.edu/kerberos/dialogue.html)
anymore...?

~~~
pishpash
This is a very nice exposition of the problem statement. However --

"Athena: You could solve the problem clumsily by requiring the mail server to
ask for a password before I could use it. I prove who I am to the server by
giving it my password.

Euripides: That's clumsy all right. In a system like that, every server has to
know your password. If the network has one thousand users, each server has to
know one thousand passwords. If you want to change your password, you have to
contact all servers and notify them of the change. I take it your system isn't
this stupid."

\-- if this isn't a problem for you, as it isn't (or can't really be worked
around) on a decentralized network like the internet, then Kerberos seems like
an over-engineered marvel for a bygone era. For a closed intranet though, like
universities or corporate networks, Kerberos is still around.

~~~
fusiongyro
Kerberos 5 is somewhat distributed—"realms" loosely map to domains. Kerberos's
architecture is very similar to Shibboleth, which is web-based and has a
certain level of popularity.

~~~
user5994461
Shibboleth is SAML.

------
emmelaich
This is a great high level guide but not _so_ useful when it comes to setting
up Kerberos.

Some of the typical issues are: 1. ensuring time synchronisation 2. dealing
with the woeful error messages from Kerberos and AD. 3. configuring Firefox to
do Kerberos auth. 4. tweaking Windows AD and Gpol/Registry to allow or
disallow certain algo strengths. 5. ensuring names (host and principal and
server) agree precisely (including case) between the ticket and the AD
attributes and various config files. 6\. dealing with bugs and other
incompatibilities in Windows (e.g. ktpass) and Linux/Unix implementations.
(thankfully mostly historical now). 7. firewalls (host and network)

I really should write up these in more details but in the meantime probably
the best docs can be found on the official Kerberos site and within MS
technet.

~~~
gerdesj
Absolutely. I have a maxim - "Time and DNS - come back when both are fixed"

Nowadays good sources of time are "free" \- use them. If you can't manage your
DNS then hand in your nerd card. You should have A->PTR->A record sorted. The
Windows DNS and DHCP make this embarrassingly easy to get right. Be careful
about using OpenDNS and co which will happily respond to incorrect queries
with their own IP addresses.

For docs on using krb and Samba and co. see Gentoo and Arch wikis - lots of
info there.

~~~
TeMPOraL
> _If you can 't manage your DNS then hand in your nerd card._

Here you go :(.

    
    
       +---------------------------------------------------+
       |                  NERD CARD                        |
       | ISSUED: 1988                 LOCATION: INTERWEBZ  |
       |                                                   |
       |  This is to certify the card holder,              |
       |                                                   |
       |                   TeMPOraL                        |
       |   _____________________________________________   |
       |                                                   |
       |   is a certified Nerd of                          |
       |                                                   |
       |   [x] space                  [ ] cryptography     |
       |   [x] programming            [ ] literature       |
       |   [ ] networking             [ ] language         |
       |                                                   |
       +---------------------------------------------------+
    

I do intend to take it back though. Any hints on good sources to grok DNS?

~~~
chousuke
At what level do you want to understand things? I feel that getting the basics
is best done by trying it out yourself, though a badly configured public
server can be used to attack other people, so be mindful of who has access to
your server when you're trying things out. If you just want the theory,
Wikipedia is a pretty good resource for technical things.

If you just want to see how DNS works, set up a server yourself. You could
start with a simple caching one like unbound, and then get yourself a domain
and set up a real server (eg. nsd or bind) for that. You could for example use
Hurricane Electric's free DNS service as your main nameservers and make use of
zone transfers and notifications to keep things up-to-date from your local
server, giving you a small-scale "real-world" DNS setup.

~~~
VexorLoophole
And what if i somehow landed a job at a small office without any expert
knowledge (only from tinkering with my own unix machines since years) and now
i need to set up a simple DNS in a virutal machine of us ?

We have all clients in one network. So i really need only a simple DNS without
any complex setup. But sadly i cant find any good tutorial what i have to
expect and be aware of. All i can find are some three line tutorials (do this
and then this and here you go, now you have a DNS), but not more. Cant you
point me to some good guide ?

~~~
icebraining
dnsmasq is simple enough. If you just need to define some local names, you can
literally just install it and configure those addresses in /etc/hosts on the
same machine. The server will pick them up automatically and serve them as A
records.

------
i2shar
I am also a fan of this very practical Hadoop/Kerberos guide
[https://steveloughran.gitbooks.io/kerberos_and_hadoop/conten...](https://steveloughran.gitbooks.io/kerberos_and_hadoop/content/)

~~~
loopbit
I was going to mention the same guide. Not only it has been really helpful but
also the Kerberos/Lovecraft analogies are spot on. Also, it has the best
introduction I've ever read in a technical manual:

 _When HP Lovecraft wrote his books about forbidden knowledge which would
reduce the reader to insanity, of "Elder Gods" to whom all of humanity were a
passing inconvenience, most people assumed that he was making up a fantasy
world. In fact he was documenting Kerberos._

 _What is remarkable is that he did this fifty years before kerberos was
developed. This makes him less of an author, instead: a prophet._

 _What he wrote was true: there are some things humanity was not meant to
know. Most people are better off living lives of naive innocence, never having
to see an error message about SASL or GSS, never fear building up scripts of
incantations to kadmin.local, incantations which you hope to keep evil and
chaos away. To never stare in dismay at the code whose true name must never be
spoken, but instead it 's initials whispered, "UGI". For those of us who have
done all this, our lives are forever ruined. From now on we will cherish any
interaction with a secure Hadoop cluster —from a client application to HDFS,
or application launch on a YARN cluster, and simply viewing a web page in a
locked down web UI —all as a miracle against the odds, against the forces of
chaos struggling to destroy order. And forever more, we shall fear those
voices calling out to us in the night, the machines by our bed talking to us,
saying things like "we have an urgent support call related to REST clients on
a remote kerberos cluster —can you help?"_

------
Instructor
ELI5 Kerberos:

When you go to an arcade or carnival, there are many people playing many games
and it can be hard to make sure everyone gets to play how much they paid. So
you get a ticket from the ticket booth, take it to the game you want to play,
put it in, and play! If you don't pay, you won't get a ticket. Without a
ticket, you can't play. So even though the games don't use money directly,
they know that your ticket means you paid. Other kids can't steal your tickets
because when you buy them, the ticket guy prints your fingerprint on each one!

Sometimes, adults like to make work into games too. So they make tickets for
using their computers and they get those tickets at the Kerberos booth.

------
m-j-fox
ELI5? This is a at-least a 3rd-grade reading level and I mean at-least.

I've looked into Kerberos before. Who hasn't looked into Kerberos is the IT
department at my day job. You can walk up to an open Ethernet jack, declare
yourself root and access anyone's NFS.

Don't worry. All we make is security processors, the things that do the bulk
encryption for the internet. No problem. Leave that source code flapping in
the wind.

~~~
semi-extrinsic
To be fair, the first paragraph goes

"While this topic probably can not be explained to a 5 year-old and be
understood, this is my attempt at defragmenting documentation"

Regarding the unsecured network jack problem, I once saw it "fixed" at
$large_oil_company by using stickers above all the Ethernet jacks saying in
angry letters "It is forbidden to connect non-$company machines!".

------
locacorten
I understand that "signing-in with Facebook/Google/Twitter" is done using
OAuth or Open ID Connect.

Why is Kerberos insufficient to solve the sign-in problem that we had to
invent new protocols?

~~~
youdontknowtho
Kerberos doesn't work through NAT, for one. (I think that there might have
been an extension, but it never took off.)

Open ID Connect will support the more complicated "delegation" scenarios that
Kerberos enabled. Think, authentication across multiple service boundaries.
That kind of thing.

~~~
tjohns
Kerberos absolutely works through NAT.

I used it to connect to campus servers back in college, through my home NAT.

There is an optional field in the Kerberos ticket that can contain your client
address, as an additional point of validation to prevent certain classes of
replay attack. That particular feature can conflict with NATs. But it's
optional.

~~~
youdontknowtho
Touche. As one other commenter pointed out, it's naming that can be difficult
with NAT and that can break Kerberos. Good point.

------
ewams
My favorite when talking Kerberos back in school days - the "Ticket Granting
Ticket". Which the author goes over. Love me some ticket granting tickets!

------
vog
Curious question: Where is Kerberos actively used today?

I remember there was a general disinterest even back when Kerberos was still a
thing ...

~~~
jsiepkes
Microsoft Active Directory (ADS) uses Kerberos for single sign on. As soon as
you login to an domain you get a Kerberos ticket. So it's actually quite wide
spread.

~~~
emmelaich
Yes, I have setup Java and Apache servers to do authentication with Kerberos.
The support is quite mature now. The only hassles tend to be with the Windows
servers and PCs deprecating weaker algorithms which require tweaking krb5.conf
and occasionally digging into AD attributes.

~~~
raarts
Could you recommend some good sources for this?

------
Spooky23
Kerberos is awesome and reliable. But when it breaks, it's the worst!

~~~
youdontknowtho
This and double this.

------
technimad
A video explaining kerberos which could be understood by 5yo
[https://vimeo.com/150247674](https://vimeo.com/150247674)

------
dewiz
OT: Is there a ELI5aaS (explain-like-Im-5-as-a-Service)?

~~~
seangrogg
[https://www.reddit.com/r/explainlikeimfive/](https://www.reddit.com/r/explainlikeimfive/)

------
dwighttk
Clickbait... "Explain like I'm 5... this topic probably can not be explained
to a 5 year-old"

------
pathsjs
Definitely not ELI5

