Mantas Mikulėnas grawity at gmail.com
Tue Nov 6 17:07:31 AEST 2018

On Tue, Nov 6, 2018 at 8:40 AM Grant Taylor via TUHS <tuhs at minnie.tuhs.org>

> On 11/05/2018 03:34 PM, Dan Cross wrote:
> > You can use a modified `login` that will validate you against a KDC.

These days the modification generally consists of pam_krb5 added to the
system's PAM configuration.

> > Modifications have been made to e.g. SSH so that one can authenticate an
> > SSH session via GSSAPI, which usually wraps Kerberos. If I recall,
> > GSSAPI might be one of the lasting legacies of the DCE, though I may be
> > misremembering history.
> *nod*

And similarly – in other protocols (IMAP, SMTP, IRC, the same LDAP) one can
authenticate a session via SASL, which usually wraps GSSAPI, which usually
wraps Kerberos.

> Kerberos solves the authentication problem, but does not provide a
> > directory service nor does it solve the authorization problem (though
> > some "kerberized" services could use a library to consult a
> > user-provided file of ACLs mapping principals to privileges). On Unix,
> > "authorization data" includes things like your UID and the set of groups
> > you belong to (or more precisely, your process's UIDs and GIDs/groups).
> > Kerberos provided support for privacy via encryption libraries, and it
> > provided support for integrity via hashing/checksumming/signature
> > libraries. "Kerberized" versions of network services such as telnet,
> > FTP, rsh/rlogin/rcp etc all provided support for authentication via the
> > baseline Kerberos protocol as well as privacy and integrity via
> > connection-level encryption and checksumming.
> I was not aware that Kerberos could provide privacy (encryption) for
> kerberized services.  I (naively) thought that Kerberos was
> authentication that other things could use to make access control
> decisions.

You're right, it's primarily an authentication protocol. But due to the way
it works, it *also* negotiates a 'session key' between the user and the
service, which then may be used for transport encryption (sealing). It's
not commonly used as far as I know – most new protocols already have their
own security layers such as TLS or SSH.

Actually LDAP is the only still-widespread protocol that comes to mind
whose implementations frequently make use of Kerberos-based encryption (via
GSSAPI). This is especially common in Active Directory environments, where
the DCs might not have a valid TLS certificate.

(I seem to recall kerberized Telnet didn't survive because it was limited
to DES/3DES for an odd reason. Didn't quite understand why that was the
case, though.)

Mantas Mikulėnas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181106/bdd11757/attachment.html>

More information about the TUHS mailing list