Linux systems normally use localized authentication ”that is, when a user types a username and password, the computer uses its own authentication database to decide whether to grant the user access. A further consequence of this system is that servers that require passwords for access, such as POP mail servers and FTP servers, require users to enter their passwords and send them over the network. This approach is sensible for isolated computers and for computers whose users don't have accounts on other systems on a network. When a group of users has accounts on many computers, though, maintaining those accounts can be tedious . Furthermore, with passwords flying across the network wires, often in an unencrypted form, the chance for a malicious individual to do damage by stealing passwords is substantial. These are the problems that Kerberos is intended to solve. This tool allows you to maintain a centralized user database. Individual computers defer to this centralized database when authenticating users, and use sophisticated encryption techniques to ensure that data transfers aren't subject to hijacking.
To run a Kerberos server, it's important that you understand the basic principles upon which it's built, including the different versions of Kerberos and its needs. As with other network protocols, Kerberos uses both a client and a server. To do any good, you must be able to configure both, so this chapter covers both options.
Kerberos is an extremely complex protocol, and to use it fully you must configure not only a single Kerberos server, but many of your network's servers and clients . For this reason, this chapter only scratches the surface of Kerberos configuration. To do more than set up a fairly basic Kerberos system, you'll need to consult additional documentation, much of which is available from the main Kerberos Web site, http://web.mit.edu/kerberos/www/. This page includes many links to official and unofficial Kerberos documentation and implementations of the protocol.