Lesson6.Kerberos Fundamentals


Lesson 6. Kerberos Fundamentals

Time

This lesson takes approximately 2 hours to complete.

Goals

Understand the advantages and disadvantages of using Kerberos with Mac OS X

Use Kerberos to verify passwords

Edit the Kerberos configuration files on a Mac OS X computer

Use klist, kinit, and kdestroy command-line tools to add, delete, and list Kerberos tickets on a Mac OS X computer

List the contents of the edu.mit.Kerberos file on Mac OS X

Learn how a user's kerberized authentication method is stored in an LDAP directory when using Mac OS X


There's a famous New Yorker cartoon in which two dogs are sitting at a computer and one of them says, "On the Internet, no one knows you are a dog."

That's a big challenge on any network: identifying and authenticating who you are actually working with. Identification is the process of recognizing who the user says she is; authentication is the process of proving that the user is who she says she is. While subtle, the difference is important.

Kerberos provides authentication and secure, single sign-on (SSO) service for network services. This lesson shows how Kerberos works and how to integrate Mac OS X computers with Kerberos.

The most commonly used method to identify and authenticate a user is to assign the user a unique name and password. By providing their names (identity) and passwords (authentication), users can "prove" who they are to their network servicesa Hypertext Transfer Protocol (HTTP) server, an Apple Filing Protocol (AFP) server, an SMB server, a mail server, and so on. You make many connections to network services when working with computers on a networkso many, in fact, that sometimes the aspect of identification and authentication are taken for granted.

Since each network service typically requires a separate name and password for each user, people often have to keep track of several different names and identities. That can obviously create a problem if you forget your password and are denied access, or can present a serious security risk if users track passwords in insecure ways. The risks associated with network security are covered in detail in Part 2, "Security," the next section of this book.

There are many technologies designed to address this issue, such as Keychain and Kerberos. Their basic premises are identicalthat a user should be required to identify and authenticate only once to access all approved network servicesbut the methodology behind the two is vastly different. This lesson covers Kerberos in Mac OS X v10.4. Keychain is not directly related to Directory Services and is covered in Part 2.




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net