When to Run a Kerberos Server | Advanced Linux Networking

Tools like firewalls (discussed in Chapter 25, Configuring iptables) are designed to protect a computer or network from the outside world, or to protect the outside world from miscreants inside a local network. Kerberos, on the other hand, is an internal security tool ”it helps both servers and clients be sure that they're communicating with the proper systems and users, and to protect passwords so that they can't be stolen and abused by other local network users. (Kerberos can also improve external security by providing encryption to external users who need access to internal servers.) Simultaneously , Kerberos provides convenience ”by centralizing the password database, Kerberos allows a user to log in to any workstation on a network and enter a login password only once, obviating the need to enter passwords for POP mail servers, FTP servers, and other local servers that would otherwise require passwords.

These features make Kerberos a very useful tool on mid- sized and large local networks, such as those operated by many colleges, universities, and corporations. Such networks frequently host mail servers, print servers, and the like internally, and allow users to log in to workstations at many locations. Rather than maintain a centralized computer system with terminals, users at these organizations use more powerful workstations. On such a network, maintaining individualized password databases is tedious at best, so Kerberos is a useful tool.

Kerberos is a cross-platform tool; Kerberos clients and servers can exist on Linux, other UNIX-like OSs, Windows, MacOS, or many other OSs. (Microsoft's own Kerberos implementation, though, is subtly incompatible with the standard version. The MIT Kerberos page includes links to another implementation of Kerberos for Windows that is more compatible with the standard version.) Cross-platform compatibility can be an extremely important characteristic in many environments.

Centralized versus Distributed Computing

In the late 1960s through much of the 1980s, UNIX systems were generally intended to be used by several people simultaneously. These computers sat in machine rooms and were used via text-mode terminals or, later, X terminals that provided GUI access. As processing power became cheaper, a trend developed to place workstations on all users' desks. The modern x 86 PC is a manifestation of this trend.

Today, most networks use a largely decentralized computing model, with workstations running Windows, MacOS, or occasionally Linux or some other UNIX variant. These computers may rely on network servers such as mail servers, file servers, print servers, and so on, but they do most of their processing locally. Such a network has a certain advantage in robustness, because if a server goes down, chances are the rest of the network will continue to operate . This distributed approach also means that all users can count on a certain minimum amount of processing power ”whatever's available on the local workstation. In simple networks like this, users are often tied to specific computers, because they only have passwords on their own computers. This is one of the problems that Kerberos is intended to solve.

Today's x 86 computers are far more powerful than the mainframes of just a couple of decades ago, and it's possible to use them in a centralized computing approach. A single powerful Linux system can run many users' programs. These users can sit at much less powerful systems that function only as terminals, using terminal software like that discussed in Chapters 13 (Maintaining Remote Login Servers) and 14 (Handling GUI Access with X and VNC Servers). Such an approach is vulnerable to problems with the central system, though; if it goes down, the rest of the network becomes useless. The centralized approach can be easier to administer, though, and it may obviate the need for user management software like Kerberos.

In most cases, the applications you use must include explicit Kerberos support to take advantage of the tool. For instance, your POP mail client and server must both support Kerberos authentication, or they'll continue using their own authentication methods . This chapter covers Kerberos configuration on Linux. This configuration can be used in conjunction with non-Linux systems, but I don't cover configuring Kerberos clients in Windows, MacOS, or other platforms.