Chapter 9. Kerberos Configuration and Use

The Kerberos protocol, the third network authentication tool described in this book, is named after the three-headed dog from Greek mythology, which guarded the entrance to the underworld. Like its mythological namesake, the modern Kerberos is a gatekeeper. Its principles and the problems it solves are different from those of NT domains and LDAP, though, which means that Kerberos's best areas of application are also different. Broadly speaking, Kerberos works best as a way to manage logins to multiple systems using multiple protocols; Kerberos provides single-sign-on capabilities that aren't well matched by competing protocols. As with NT domain configurations, Kerberos requires software on three classes of systems: the main Kerberos server; Kerberos application servers which are servers for other protocols that defer to the Kerberos server for authentication; and clients of the application servers. You can use either Linux or Windows in any of these roles, although not all combinations work equally well. Some Microsoft application servers and clients, in particular, don't work as well with Linux Kerberos servers as with their Microsoft counterparts. This chapter presents Kerberos first from a Linux perspective and concludes with Windows-specific information.

This chapter emphasizes setting up the basic Kerberos environment, using a few Kerberized tools that come with Kerberos, and configuring basic login authentication via Kerberos. It can be used for more protocols, though, such as providing single-sign-on for POP email retrieval. Going beyond the protocols provided with the Kerberos package requires installing additional software.