Lesson 6. Kerberos Fundamentals
There's a famous New Yorker cartoon in which two dogs are sitting at a computer and one of them says, "On the Internet, no one knows you are a dog." That's a big challenge on any network: identifying and authenticating who you are actually working with. Identification is the process of recognizing who the user says she is; authentication is the process of proving that the user is who she says she is. While subtle, the difference is important. Kerberos provides authentication and secure, single sign-on (SSO) service for network services. This lesson shows how Kerberos works and how to integrate Mac OS X computers with Kerberos. The most commonly used method to identify and authenticate a user is to assign the user a unique name and password. By providing their names (identity) and passwords (authentication), users can "prove" who they are to their network servicesa Hypertext Transfer Protocol (HTTP) server, an Apple Filing Protocol (AFP) server, an SMB server, a mail server, and so on. You make many connections to network services when working with computers on a networkso many, in fact, that sometimes the aspect of identification and authentication are taken for granted. Since each network service typically requires a separate name and password for each user, people often have to keep track of several different names and identities. That can obviously create a problem if you forget your password and are denied access, or can present a serious security risk if users track passwords in insecure ways. The risks associated with network security are covered in detail in Part 2, "Security," the next section of this book. There are many technologies designed to address this issue, such as Keychain and Kerberos. Their basic premises are identicalthat a user should be required to identify and authenticate only once to access all approved network servicesbut the methodology behind the two is vastly different. This lesson covers Kerberos in Mac OS X v10.4. Keychain is not directly related to Directory Services and is covered in Part 2. |