

Explain like I'm 5: Kerberos - roguelynn
http://www.roguelynn.com/words/explain-like-im-5-kerberos/

======
jimktrains2
I still think this is the best intro I've ever gotten on Kerberos

Designing an Authentication System: a Dialogue in Four Scenes
<http://web.mit.edu/Kerberos/dialogue.html>

"This dialogue provides a fictitious account of the design of an open-network
authentication system called "Charon." As the dialogue progresses, the
characters Athena and Euripides discover the problems of security inherent in
an open network environment. Each problem must be addressed in the design of
Charon, and the design evolves accordingly. Athena and Euripides don't
complete their work until the dialogue's close.

When they finish designing the system, Athena changes the system's name to
"Kerberos," the name, coincidentally enough, of the authentication system that
was designed and implemented at MIT's Project Athena. The dialogue's
"Kerberos" system bears a striking resemblence to the system described in
Kerberos: An Authentication Service for Open Network Systems presented at the
Winter USENIX 1988, at Dallas, Texas."

------
IvyMike
How widely is Kerberos used these days?

I've worked in a handful of Unix environments in both academia and enterprise
over the last 20 years but never actually used Kerberos. (Of course 20 years
ago it was brand new, so that is at least part of it.) Is it gaining in
popularity?

(From the two minutes of searching I just did, it sounds like Windows AD is
actually based on Kerberos? If that's the case I guess it's super-widely
used.)

~~~
gchpaco
Windows AD is Kerberos based with a gratuitous compatibility breaking change
that I can't remember right now. We use Kerberos at work, and the FreeIPA
project is Kerberos based. It doesn't really come into its own until you have
many, many machines, probably at least fifty, but it isn't bad in the end. I
have had many, many problems with FreeIPA but very few are due to it using
Kerberos.

~~~
ethomson
I suspect that I'm going to get out of my depth very quickly here, but I'm not
sure what the gratuitous breaking change is that you're speaking of;
relatively recent MIT or Heimdal krb5 implementations can interop with Active
Directory with no problem that I'm aware of.

Some older implementations were lacking ciphers that Active Directory
required. If this is what you're speaking of then I wouldn't classify it as a
"breaking change", since cipher negotiation is meant to be - well -
negotiated. Its gratuitousness may be more in question, but I'm certain it was
for backward compatibility with NT Lan Manager password schemes. (Alas.)

~~~
gchpaco
From [http://www.h5l.org/manual/HEAD/info/heimdal/Authorisation-
da...](http://www.h5l.org/manual/HEAD/info/heimdal/Authorisation-
data.html#Authorisation-data):

    
    
      The Windows 2000 KDC also adds extra authorisation data in tickets. It is at this point unclear what triggers it to do this. The format of this data is only available under a “secret” license from Microsoft, which prohibits you implementing it.
    

This makes/made? it difficult to have a Windows domain authenticate against an
existing KDC; you needed to set up an AD server and then set up cross-domain
trust relationships, which means you _must_ have a Windows server on your
network in order to support Windows AD clients.

~~~
ethomson
Very interesting. I had a similar setup in a previous life without any issues,
but the "it is at this point unclear what triggers it to do this" is ominous
indeed, so it's possible I just went down the happy path where this sort of
issue doesn't come up.

