Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Launching Kerberos Consortium

Posted by ScuttleMonkey on from the passing-the-torch dept.

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"

13 of 62 comments (clear)

  1. Kerberos by gravos · · Score: 3, Insightful

    For the first time, Kerberos will have an official home, supported by MIT and other Consortium members. This is a good thing no matter how you look at it.

    --
    This game will waste your life. Don't clicky!
    1. Re:Kerberos by LiquidCoooled · · Score: 4, Funny

      It might now have a home, but it won't be able to enter it without someone to vouch for its identity.

      --
      liqbase :: faster than paper
  2. And how wil MS influence this? by Anonymous+Crowbar · · Score: 3, Insightful

    With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

    1. Re:And how wil MS influence this? by ackthpt · · Score: 4, Informative

      With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

      Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

      Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

      --

      A feeling of having made the same mistake before: Deja Foobar
    2. Re:And how wil MS influence this? by Anonymous+Crowbar · · Score: 4, Informative

      From the FAQ http://www.kerberos.org/about/FAQ.html Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.

  3. Party! by brilinux · · Score: 3, Funny

    Maybe I will go... I can bring magic cookies!

  4. Someone has to ask it... by erroneus · · Score: 4, Interesting

    ...so why not me?

    Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

    1. Re:Someone has to ask it... by KidSock · · Score: 4, Insightful

      Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

      MS and the MIT Kerberos crowd get along just fine. I believe the things MS did are generally thought of as good. Some are starting to make it into the Kerberos distros (e.g. I think Heimdal has support for constrained delegation). The PAC business was a little overblown. The Samba guys were able to figure out how to sign the PAC from the doc MS provided and with some carefull network analysis. Of course the Samba guys are not happy overall. I don't know if they have a problem with their Kerberos code but other modes of communication and the semantics to go with are not adequately documented.

  5. Re:Laughably outdated by KidSock · · Score: 3, Informative

    My from-the-hip guess is that MIT has realized that they're a)dependent on Kerberos and b)nobody else uses it, so they need to generate some noise, make some unfounded claims, and hope to get some other people onboard. "Used in the enterprise"? Bull...

    FYI: Kerberos is the standard authentication protocol used on just about every enterprise network on the planet. All Windows clients that are members of an Active Directory domain use Kerberos to authenticate with fileservers, web services, LDAP servers and just about anything else that has domain credentials. That's probably 80% of Enterprise users alone. And the rest are probably using NFS which is rapidly moving to Kerberos authn' for everything.

  6. Re:Laughably outdated by secPM_MS · · Score: 4, Informative
    I would not call Kerberos outdated. Kerberos is based upon the Needham-Schroeder (NS) secret key approach and provides a rather comparable functionality to public key approaches. NS needs key distribution servers and the associated ticket granting servers, but these are in a security sense equivalent to the CA's and RA's of the PKI world.You can build authentication architectures upon either. The NS approach is computationally more efficient than the RSA math typically used by PKI.

    Kerberos is used extensively within Microsoft enterprise scenarios and is used in other non-Microsoft environments as well.

    Both Kerberos and PKI present management difficulties as you try to expand across large numbers of domains / forests with diverse security policies.

    If quantum computing ever truly breaks classic PKI approaches, the alternatives will be to develop PKI approaches that are more resistant to quantum attacks (problems are known that are believed to be resistant) and/or to use NS / Kerberos with doubled key length (quantum search attacks roughly square root the effective key size).

  7. NFS v4 uses Kerberos by ShaggyZet · · Score: 4, Informative

    Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

    http://developer.osdl.org/dev/nfsv4/site/architecture/

  8. Kerberos Rocks my world! by Zombie+Ryushu · · Score: 3, Interesting

    As I have demonstrated from some of my previous posts, Kerberos is indispensable in the network administration infrastructure in the Linux world, it connects to SSH, Samba, Apache, and god knows what else. Its something no Linux Admin should be without knowledge of. The MIT Kerberos implementation has been behind for years because of their refusal to implement LDAP support until now. I'm just glad Kerberos finally gets a standard LDAP Connector. I'm sick of having to maintain one database for Kerberos and LDAP for everything else.

    Still, Kerberos rocks my world. I couldn't do without it.

  9. MIT: Whitewash much? by Kadin2048 · · Score: 3, Informative
    I wonder who wrote that tripe, the MS legal team? And I wonder how much they paid MIT for the privilege.

    Truth be told, there was a big falling out between MS and MIT over Kerberos. Microsoft, as they are wont to do, tried to take Kerberos and proprietize it. The MIT guys said "not so fast," and took them to court over it. On the eve of what most assumed would be a judgment not in their favor, Microsoft suddenly had an 11th-hour change of heart and revealed their changes (although with poison-pill licensing terms attached, at least initially).

    From an article published in 2000:

    Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed. ... "They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior." ... Microsoft's implementation of Kerberos seems a textbook example of [embrace, extend, extinguish]. ... The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system. (Emphasis mine)
    "Joint proposal" my ass. Microsoft got dragged into that kicking and screaming. They would have buried Kerberos long ago if they had gotten their way.

    As an eventual result of this, some of Microsoft's changes were written up as an (informational, non-standards-track) RFC, which takes pains to repeat, over and over, that Microsoft's implementation was compatible with the original. The monopolist doth protest too much, I think.
    --
    "Ladies and gentlemen, my killbot features Lotus Notes and a machine gun. It is the finest available."