Disadvantages of Kerberos


Although Kerberos removes a common and severe security threat, it may be difficult to implement for various reasons:

  • Migrating user passwords from a standard UNIX password database, such as /etc/passwd or /etc/shadow, to a Kerberos password database can be tedious as there is no automated mechanism to perform this task. For more information, refer to the Kerberos FAQ at http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html.

  • Kerberos has only partial compatibility with the Pluggable Authentication Modules (PAM) system used by most servers running Red Hat Linux. For more information on this issue, see the “Kerberos and PAM” section of this chapter.

  • In order for an application to use Kerberos, its source must be modified to make the appropriate calls to the Kerberos libraries. For some applications, this can be quite problematic because of the size of the Kerberos libraries, or the frequency with which they must be called. For other applications, changes must be made to the way in which the server and client side communicate. Again, this may require extensive programming. Closed-source applications that do not have Kerberos support by default are often the most problematic.

  • Kerberos assumes that you are using trusted hosts on an untrusted network. Its primary goal is to prevent plaintext passwords from being sent across that network. However, if anyone other than the proper user has physical access to any of the hosts, especially the one that issues tickets used for authentication, the entire Kerberos authentication system is at risk of being compromised.

  • Kerberos is an all-or-nothing solution. If you decide to use Kerberos on your network, you must remember any passwords transferred to a service that does not use Kerberos for authentication or run the risk of being captured by packet sniffers. Thus, your network gains no benefit from the use of Kerberos. To secure your network with Kerberos, you must either kerberize all applications that send plaintext passwords or not use those applications on your network at all.




Official Red Hat Linux Administrator's Guide
Official Red Hat Linux Administrators Guide
ISBN: 0764516957
EAN: 2147483647
Year: 2002
Pages: 278
Authors: Red Hat Inc

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net