MIT Launching Kerberos Consortium

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"

Kerberos

[gravos]

For the first time, Kerberos will have an official home, supported by MIT and other Consortium members. This is a good thing no matter how you look at it.

Re:Kerberos

[LiquidCoooled]

It might now have a home, but it won't be able to enter it without someone to vouch for its identity.

Re:Kerberos

[Anonymous+Crowbar]

And it better not arrive too early or too late if it want's to come in.

And how wil MS influence this?

[Anonymous+Crowbar]

With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

Re:And how wil MS influence this?

[ackthpt]

With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

Re:And how wil MS influence this?

[EvanED]

You do realize there's plenty of history you can look at for what they might do regarding kerberos, right? It's been there since Windows 2000.

(Actually my OS prof last semester was one of the developers on the W2K kerberos stuff.)

Re:And how wil MS influence this?

[Anonymous+Crowbar]

From the FAQ http://www.kerberos.org/about/FAQ.html Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.

Party!

[brilinux]

Maybe I will go... I can bring magic cookies!

Re:Party!

[mrogers]

They won't let you in without a ticket. :-/

Someone has to ask it...

[erroneus]

...so why not me?

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

Re:Someone has to ask it...

[KidSock]

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

MS and the MIT Kerberos crowd get along just fine. I believe the things MS did are generally thought of as good. Some are starting to make it into the Kerberos distros (e.g. I think Heimdal has support for constrained delegation). The PAC business was a little overblown. The Samba guys were able to figure out how to sign the PAC from the doc MS provided and with some carefull network analysis. Of course the Samba guys are not happy overall. I don't know if they have a problem with their Kerberos code but other modes of communication and the semantics to go with are not adequately documented.

Re:Someone has to ask it...

[mvdwege]

The Samba guys were able to figure out how to sign the PAC from the doc MS provided

You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

Mart

Re:Someone has to ask it...

[evilviper]

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone?

After so much screaming, Microsoft backed down and made their changes available and open.

Re:Someone has to ask it...

[KidSock]

You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

No, I mean this:

    http://msdn2.microsoft.com/en-us/library/aa302203.aspx

When it was first released they tried to claim no one could implement it. But that was knocked down to an un-naturally long copyright statement and a copyright statement only covers the content of the document / page. They could try to claim otherwise (e.g. like SCO tried with errno.h) but copyright has no impact on implementing what is described (sort of like how you can study GPL code and implement it elsewhere - you just can't copy and paste anything).

The document you're talking about was the CIFS spec wrapped in a Windows help file. That was just a feeble attempt to quell protesters asking for protocol documentation but that document's content had been available for many years so the overall effect was that they just annoyed the hell out of everyone by taking an existing document and sticking an EULA in it. That whole escapade was doomed to backfire. It was quite amusing really.

Re:Someone has to ask it...

I was at the first Kerberos meeting when MS presented their clever tripe.

I still haven't forgiven them.

    - AC

Re:Someone has to ask it...

[mvdwege]

The document you're talking about was the CIFS spec wrapped in a Windows help file.

No, I am talking about the self-extracting CAB file mentioned in this discussion. The spec you link to may be the same document, but it is undeniable that Microsoft did try to publish it under an EULA that essentially forbade using any of that information to implement the PAC for yourself.

Mart

Re:Someone has to ask it...

[dunng808]

I find your flippant attitude towards deplorable business conduct aimed at preventing competition appalling. You really need to spend some time observing the efforts of FOSS projects to provide an open and level playing field, then contrast what you learn with Microsoft's persistent efforts to stifle all competition. While you are at it, stop rewriting history to make it sound as if there never was a conflict.

You seem to be in denial, like a woman who refuses to believe her husband is a mobster. It is time for you to open your eyes and see Microsoft as the crimminal the courts rule they are.

Used in national labs

[InvisblePinkUnicorn]

I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...

Re:Used in national labs

[ackthpt]

I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...

Software they trust, it's people ...

Re:Used in national labs

[flyingfsck]

MS Active Directory uses it, so it is everyflippenwhere - hundreds of millions of machines use it.

Laughably outdated

[SuperBanana]

In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come.

That's a wonderful bit of spin.

My from-the-hip guess is that MIT has realized that they're a)dependent on Kerberos and b)nobody else uses it, so they need to generate some noise, make some unfounded claims, and hope to get some other people onboard. "Used in the enterprise"? Bullshit...

Kerberos was an idea for a time when nobody used SSL, nobody had SSH, VPNs were proprietary and could only be done on specialized hardware, and yp/nfs was still considered "acceptable."

Kerberos is an 8-track technology in a MP3 world where one can use an ssh client to proxy any SOCKS client, while mounting their home directory via SSHfs, while tunneling all their IP traffic (yep, latest openssh does full IP tunneling!)

I knew MIT had officially jumped the shark when I saw an alarm clock covered in shag rug with wheels touted as "brilliant", when it was something on the level of kitsch I'd expect from some no-name third-world electronics company.

Another great example of MIT's failure to generate students who have useful, applicable knowledge would be when their underwater robotics team, despite supposedly being the best+brightest, backed by sponsorship from the biggest defense contractors and oil companies...got their asses handed to them by a bunch of high school students from East Nowhere.

Re:Laughably outdated

If you can ignore the MIT bashing, mod parent up.

Re:Laughably outdated

[KidSock]

My from-the-hip guess is that MIT has realized that they're a)dependent on Kerberos and b)nobody else uses it, so they need to generate some noise, make some unfounded claims, and hope to get some other people onboard. "Used in the enterprise"? Bull...

FYI: Kerberos is the standard authentication protocol used on just about every enterprise network on the planet. All Windows clients that are members of an Active Directory domain use Kerberos to authenticate with fileservers, web services, LDAP servers and just about anything else that has domain credentials. That's probably 80% of Enterprise users alone. And the rest are probably using NFS which is rapidly moving to Kerberos authn' for everything.

Re:Laughably outdated

I have to agree with the OP. Kerberos was nice when it came out, but there are better authentication mechanisms available out there. It is true that it is widely used in the (mangled) version used under Active Directory, but I find it difficult to believe that NFS is migrating to Kerberos. Would you care to share some figures?

Re:Laughably outdated

[secPM_MS]

I would not call Kerberos outdated. Kerberos is based upon the Needham-Schroeder (NS) secret key approach and provides a rather comparable functionality to public key approaches. NS needs key distribution servers and the associated ticket granting servers, but these are in a security sense equivalent to the CA's and RA's of the PKI world.You can build authentication architectures upon either. The NS approach is computationally more efficient than the RSA math typically used by PKI.

Kerberos is used extensively within Microsoft enterprise scenarios and is used in other non-Microsoft environments as well.

Both Kerberos and PKI present management difficulties as you try to expand across large numbers of domains / forests with diverse security policies.

If quantum computing ever truly breaks classic PKI approaches, the alternatives will be to develop PKI approaches that are more resistant to quantum attacks (problems are known that are believed to be resistant) and/or to use NS / Kerberos with doubled key length (quantum search attacks roughly square root the effective key size).

Re:Laughably outdated

That's some chip on your shoulder; directed toward one of our finer institutions of learning. Let me guess, you either have no formal education or one from some place like DeVry. Well, if you're so wonderful perhaps you could share some of your profound technological genius with us.

Re:Laughably outdated

Yeah, dumbass. Kerberos is implemented in NFSv4, and it's the only robust way to secure NFS. You, sir, are a clueless slashtard.

Re:Laughably outdated

[cpuh0g]

You are indeed a slashtard. Kerberos is a mandatory-to-implement feature in the NFSv4 spec and has been part of NFSv3 (optional feature) for many years. Kerberos is hardly outdated. You are a clueless, naive waife who has no real idea what is going on in the world of computer security if you think it is outdated and dying.

Re:Laughably outdated

[flyingfsck]

Nope, you are confusing authentication with stream encryption. One can even configure SSH to use Kerberos authentication!

Re:Laughably outdated

[19thNervousBreakdown]

Better authentication mechanisms? Like what?

Re:Laughably outdated

[dkf]

Kerberos was nice when it came out, but there are better authentication mechanisms available out there. Only in the specific case where you're going across domains in some way, and then only because serious security people (quite reasonably) get antsy about trusting each other Kerberos domain controllers deeply. But within a domain, Kerberos works nicely. (IIRC, it can work in harmony with SSH; if that was the "better authentication mechanism" then shame on you!)

Mind you, I don't use the Kerberized stuff at work that much, mostly because I prefer to keep everything I need local on a laptop so I can continue to work even when there is *no* network available (still annoyingly often when travelling, alas...)

Just not true

[ShaggyZet]

Kerberos and SSH are not comparable technologies. If you must make a comparison, compare it to SSH's key mechanisms (host based, user key pairs, agents). In those cases there are pros and cons to be debated.

Kerberos's authentication isn't tied to a specific service and the same token can be used across a many daemons. In fact, SSH is one of the daemons supports Kerberos authentication (ie, is kerberized).

Kerberos can be a pain to setup, but once you take the time to understand how it works it's actually pretty nice.

NFS v4 uses Kerberos

[ShaggyZet]

Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

http://developer.osdl.org/dev/nfsv4/site/architecture/

Re: NFS v4 uses Kerberos

[Dolda2000]

Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4. In all honesty, though, Kerberos isn't precisely new to NFSv4, it's just that support for it has been mandated by NFSv4. Kerberos authentication is supported at the RPC layer, which is the same regardless if being used for NFSv4, v3, v2 or even portmapper, NIS or SGI FAM, if you will. AFAIK, Linux's NFSv2/3 implementation supports Kerberos authentication as well, ever since the support was added to support NFSv4. I shan't bet on it, but I think Solaris has supported Kerberos authentication for earlier NFS protocols for quite a while.

The actual improvements in NFSv4 include such things as compound calls (which is, on a completely unrelated note, also a new feature in Microsoft's SMB 2.0) which, at least supposedly, improves performance due to network latency. It also included symbolic UID/GID mapping (rather than working with numerical IDs). It also works better through firewalls by using a single TCP connection for everything (although personally, I think the firewall problem should be fixed instead...). While there exists an extension for POSIX APIs for NFSv3, NFSv4 has ACL support on its own, and I think it supports XATTRs as well (though the Linux implementation doesn't yet).

I'm pretty sure it includes other improvements as well, but I cannot remember any others right now. For me, the most important feature of the new protocol as such was the symbolic ID mapping, since it means that I can access my NFS home directories on my laptop without also having to use NIS and other things that wouldn't work when I take the laptop out from my home network.

Kerberos Rocks my world!

[Zombie+Ryushu]

As I have demonstrated from some of my previous posts, Kerberos is indispensable in the network administration infrastructure in the Linux world, it connects to SSH, Samba, Apache, and god knows what else. Its something no Linux Admin should be without knowledge of. The MIT Kerberos implementation has been behind for years because of their refusal to implement LDAP support until now. I'm just glad Kerberos finally gets a standard LDAP Connector. I'm sick of having to maintain one database for Kerberos and LDAP for everything else.

Still, Kerberos rocks my world. I couldn't do without it.

Re:Kerberos Rocks my world!

[Just+Some+Guy]

As I have demonstrated from some of my previous posts

Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

Re:Kerberos Rocks my world!

[shmackie]

I agree!! The more and more applications that become Kerberised, the better! eg: the next version of CUPS apparently.

Re:Kerberos Rocks my world!

[Ajehals]

There is something beautiful about centralised, secure and redundant authentication, especially with SSO. So yeah, I totally agree.

Re:Kerberos Rocks my world!

[sharkey]

Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

QED

You know

"The Kerberos Consortium" makes it sound a lot cooler than it actually is.

Re:You know

[TeknoHog]

"The Kerberos Consortium" makes it sound a lot cooler than it actually is.

"The Kerberos Konsortium" would be even kooler.

fO0ck!?

most. Look at the to you by Pe8isbird is dying and its

MIT: Whitewash much?

[Kadin2048]

I wonder who wrote that tripe, the MS legal team? And I wonder how much they paid MIT for the privilege.

Truth be told, there was a big falling out between MS and MIT over Kerberos. Microsoft, as they are wont to do, tried to take Kerberos and proprietize it. The MIT guys said "not so fast," and took them to court over it. On the eve of what most assumed would be a judgment not in their favor, Microsoft suddenly had an 11th-hour change of heart and revealed their changes (although with poison-pill licensing terms attached, at least initially).

From an article published in 2000:

Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed. ... "They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior." ... Microsoft's implementation of Kerberos seems a textbook example of [embrace, extend, extinguish]. ... The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system. (Emphasis mine)

"Joint proposal" my ass. Microsoft got dragged into that kicking and screaming. They would have buried Kerberos long ago if they had gotten their way.

As an eventual result of this, some of Microsoft's changes were written up as an (informational, non-standards-track) RFC, which takes pains to repeat, over and over, that Microsoft's implementation was compatible with the original. The monopolist doth protest too much, I think.

Re:MIT: Whitewash much?

[KidSock]

This is a highly twisted version of reality. The "undefined field" you mention is the authorization-data field in Kerberos tickets. That field is designed to contain application specific data such as groups and information about the user and that is precisely what MS used it for. No foul there. The structure they put in the authorization-data field is called the Privileged Attribute Certificate (PAC). The problem was that MS stated that the PAC was proprietary and that no one could implement it. I'm not sure which court breif you're talking about but I'm pretty sure the "big falling out" was over the IP claim on data in the Kerberos tickets wrt the PAC. MS reversed it's position. Information on the PAC is freely available on their website:

    http://msdn2.microsoft.com/en-us/library/aa302203.aspx

Personally I feel strongly that companies should be required to make more information available about interprocess communication used in applications that have a significant market share (e.g. MS office files, AD directory replication semantics, workstation management RPCs, etc). However, I also find it very frustrating to see people misrepresenting the truth. The truth is in your favor so by mis-represeting it you're only hurting yourselves.

Shouldn't that be...

[Graywolf]

The Kerberos Konsortium?

Can someone answer this?

[jimicus]

I still don't fully grasp this - perhaps someone can explain.

What does Kerberos+LDAP give you that LDAP on its own doesn't? My reading is that with kerberos-capable client software, once the user's entered their password once for one thing they don't have to for everything else - at least until their token expires - but ICBW.

Re:Can someone answer this?

[Nurgled]

LDAP is just a directory protocol. Kerberos is a network-wide authentication protocol. I'm a little rusty on Kerberos myself, but I believe the following summary to be a reasonable description of what Kerberos does:

Kerberos is basically an infrastructure which applies cryptography to the problems of intra-domain and inter-domain authentication. It is based around the concept of "tickets", which are cryptographic tokens that can be presented to services in order to authenticate. Each ticket is applicable only to one service or host.

The process begins by asking the ticket granting server (or "domain controller", in Microsoft perlance) for a ticket granting ticket, or TGT. A TGT is used to obtain other tickets. These additional tickets are then presented to their respective services as a credential during the authentication process. Since these tickets and the authentication exchanges are maintained by the system's kerberos implementation, it appears to end-users that they are able to hop from system to system and from service to service without logging in to each one separately.

The upshot of all this is that you aren't constantly sending your password all over the place, and each service is authenticated separately. If you have access to a Windows 2000 or above machine that is on a domain, try typing "klist tickets" at the command prompt and you'll see a selection of tickets that belong to your current session, including the all-important ticket granting ticket, a ticket for the Active Directory LDAP service and a "cifs" ticket for any servers you've connected to using Windows File/Printer Sharing.

Kerberos domains can also federate so that tickets granted in one can be used to authenticate in another. There is also support for delegation, which allows a user to securely authenticate to a service through another service, such as a webmail client which ultimately logs into an IMAP server. I will confess that I don't know precisely how these two things operate, but I'm sure you can find out more via Google if you're interested.

Re:Can someone answer this?

[jimicus]

I will confess that I don't know precisely how these two things operate, but I'm sure you can find out more via Google if you're interested.

I am, but the difficulty I've been facing is getting an idiot's introduction to it. Most seem to assume you already know all about how it works.

The other thing I notice is that it alleviates the problem of passwords or hashes of passwords flying around the network in the clear. But I'd imagine that's a bit less of an issue if everything runs over SSL.

Re:Can someone answer this?

[pedestrian+crossing]

C:\>klist tickets
'klist' is not recognized as an internal or external command,
operable program or batch file.
C:\>

Re:Can someone answer this?

[Goatbag]

I am, but the difficulty I've been facing is getting an idiot's introduction to it. Not an idiot's introduction, but one that doesn't assume prior knowledge. A little outdated, but that's the basic idea.

Re:Can someone answer this?

[amsr]

What does Kerberos+LDAP give you that LDAP on its own doesn't?

Security. LDAP by itself stores passwords in the user record in the directory. Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion. Passwords are never sent over the network.

Re:Can someone answer this?

[Just+Some+Guy]

Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion.

This is true in general, too. Rather than coming up with some convoluted auth scheme on your own, you can just standardize on Kerberos for your application and trust that other people who know a lot more about this than I ever will have gotten it right.

In one sense, it's a single point of failure. In other, it means that you only have to get it right one time and everything else can take advantage of it.

Re:Can someone answer this?

[Stu+Charlton]

In one sense, Kerberos was a way of doing secure communication & authentication before PKI-based schemes like SSL became popular. It only used symmetric encryption, so required the central ticket granting service. Newer standards are incorporating assymmetric encryption to make the protocol even stronger against attack....

Kerberos is a bit rough to understand at first. The documentation exists out there (Microsoft has some of the better stuff), but it can be pretty detailed if you're not comfortable with encryption & binary protocols. One of the best ways to play with it is to run Wireshark to watch Kerberos traffic, as it can parse the packets and tell you what's going on.

The major confusing thing about Kerberos, for a developer, is the GSS-API. Kerberos doesn't have a standard API -- MIT has theirs, and Microsoft has their ActiveDirectory API, etc. Whereas GSS stands for "General Security Service" and is a general purpose wrapper API for security services like Kerberos, regardless of implementation. Microsoft supports GSS to some degree, but doesn't expose all of its features, I don't believe. There are multiple language bindings, C being the most common, but also .NET, and Java. Both GSS-API and Kerberos allow for message authentication codes (like digital signature, but again using symmetric crypto), secure communications (like SSL), along with mutual authentication, and even delegation (propagating identity across multiple tiers, say a Web Browser, to Web Server, to SQL database).

Things get even more confusing when you look at Kerberos over HTTP (which is how Microsoft does single-sign on with Windows + Internet Explorer). This is mostly accomplished with SPNEGO, which is a "Simple & Protected GSS-API NEGOtation mechanism". So, here we have a wrapper protocol (using ASN.1 format) around Kerberos that is almost always going to be Kerberos anyway, stuffed into an HTTP header, requiring excessive HTTP round trips for "negotiation". It works, but mostly on intranets.

Re:Can someone answer this?

[Nurgled]

It would appear that klist.exe actually comes from the Windows Network Resource Kit rather than being in Windows itself. Sorry.

Athena ?

[bytesex]

I thought they were a widget set. Or do they name anything Athena that comes out of MIT, thinking it's nice and Greek an' all ?

You can get tickets to the party....

[capmblade]

...but only if your timepiece matches theirs.

Kerberos needs some merging with LDAP

[the_olo]

IMHO the future direction taken with Kerberos should be merging the protocol into LDAP (e.g. for the future LDAPv4 revision of LDAP protocol).

Here's my rationale behind this: The problem with Kerberos being a distinct protocol from LDAP is that the distinction causes lots of confusion among the implementors, system architects, developers and administrators. This results in lots of cases where the two protocols are misused.

The correct distinction should be that you use Kerberos for authentication (that is, proving that a user is someone he claims to be) and LDAP for authorization (that is, given an authenticated user, determining information related to granting access to some resources - such as group memberships, possibly some application-specific ACLs etc) and for other data for which a directory is useful (hard to list all possible uses of LDAP, but e.g. mail aliases are a fine example).

But because the protocols are separate and very hard to setup together on a single authentication/authorization/directory server (or a group of servers!), people go along with only one of them, usually using LDAP for authentication instead of Kerberos (see mod_auth_ldap for Apache), effectively prohibiting themselves from implementing usable single sign-on

For an example, let's have a look at available OSS solutions. Apache Directory has Kerberos and LDAP integrated from the start, but it's painfully slow as a server at its current state. A mail server using LDAP for aliases can perform quite a bit of hammering on the LDAP server. MIT Kerberos cannot use LDAP databases. So doesn't Shishi Kerberos, although they plan implementing this in the future. That leaves us with Heimdal Kerberos. Heimdal requires the LDAP server to be on the same machine and support LDAPI connections. So that rules out Fedora Directory Server, whose stable version 1.0.4 doesn't support LDAPI yet (although the CVS development version recently got LDAPI support, finally).

I've tried setting up a Heimdal Kerberos server with OpenLDAP (with SASL2 daemon in the middle), and succeeded, but it was a royal pain in the *ss.

All HOWTOs I've found on the web described a brain-dead design where Kerberos maintains a classic file-based database on its own, separate from OpenLDAP database, and one has to make sure they both are in sync (because it's possible that one can have a user that the other doesn't). In such a setup replication is really troublesome and has to be done using 2 different channels and mechanisms (e.g. LDAP syncrepl + Kerberos' own redundant servers).

I wanted an integrated design, where Heimdal stores its data directly in OpenLDAP.
This way, I couldn't possibly create a Kerberos account without an LDAP account (well, I could if I omitted Kerberos objectclass and attributes, but it would be harder to do and easier to detect). Also, I could use only LDAP's replication mechanisms and easily provide fault-tolerant cluster of LDAP and Kerberos servers.

Unfortunately, the diagram for this setup looks quite daunting for a beginner implementor, as you can see for yourself.

There were also lots of gotchas:

• Heimdal can connect to LDAP as its database only using LDAPI - a networkless LDAP connection over UNIX domain socket. So you have to configure OpenLDAP in a quite non-standard way, and latest

Re:Kerberos needs some merging with LDAP

[DecayingInsect]

I'd agree with the above: LDAP/GSSAPI/SASL is a challenge to set up correctly and administer using FOSS components. I had a test system similar to the above at my work site, but it looks like it's going to be a non-flier now that the bosses have seen what Active Directory has to offer specifically in terms of account-management and replication. This is a shame because it means that control over authentication to unix platforms will now be placed in the hands of the AD admins.

Project Athena

[Crispy+Critters]

Any Project Athena historians around?

Athena involved setting up a network of workstations so that you could log onto any one of them and have access to your home directory, mail, etc. as if they were local to that machine.

This doesn't sound like a big deal until you find out that it started in 1983. Kerberos and X are children of Project Athena.

Wikipedia is your friend: Project Athena

Re:Project Athena

[krog]

Project Athena's goal was, roughly speaking, to allow any user to walk up to any machine and log in, and be greeted with their files, apps, customizations, etc. This involved the creation of a windowing system which supported network operation (X Window System), centralized authentication service (Kerberos), centralized directory service (Hesiod), and also the integration of a networked file system (first NFS, then AFS).

This is a simplification and Athena has grown up quite a bit in the two dozen or so years it's been around, but that's it in a nutshell.

Re:Project Athena

[bytesex]

A bit like Sun-rays then. Thanks for the info.

US Export Laws and Kerberos

[billstewart]

At least back in the 1990s, when the US government was pretending that its rules against publishing crypto were to keep Commies from getting it, you weren't allowed to export the full Kerberos system, but you could export "Bones" subsets that had the crypto routines removed, which was enough to duplicate the protocols once you ftp's the DES code from Finland or whatever.

The US seems to be a lot more flexible now about not harassing code websites, and John Gilmore and the EFF beat them up by building a machine to crack DES, but I don't know if you can export full Kerberos now (or at least if you can get official permission.)