Kerberos: Difference between revisions

From Citizendium
Jump to navigation Jump to search
imported>Howard C. Berkowitz
No edit summary
mNo edit summary
 
(4 intermediate revisions by 3 users not shown)
Line 1: Line 1:
{{subpages}}
{{PropDel}}<br><br>{{subpages}}
[[Kerberos]] is a networked [[authentication]] system developed at the [[Massachusetts Instutite of Technology]].<ref>{{citation
{{TOC|right}}
[[Kerberos]] is a networked [[authentication]] system developed at the [[Massachusetts Institute of Technology]].<ref>{{citation
  | url = http://web.mit.edu/Kerberos/
  | url = http://web.mit.edu/Kerberos/
  | title = Kerberos
  | title = Kerberos
  | publisher = [[Massacusetts Instititute of Technology]], A central trusted server provides "tickets" which allow other machines to authenticate each other. Granting of specific rights, called credentialing, to authenticated machines can be by a separate secure server.   
  | publisher = [[Massacusetts Institute of Technology]]}}</ref>, A central trusted "ticket-granting server" provides "tickets" which allow other machines to authenticate each other. Granting of specific rights, called credentialing, to authenticated machines can be by a separate secure server.   


The separation of credentialing from authentication is not part of all authentication systems, but offers the ability to separate the administration of those two functions, which is a check-and-balance for personnel security of administators.
==Specifications and documentation==
==Specifications and documentation==
The Kerberos protocol is specified in RFC 4120. There is an active [http://www.ietf.org/html.charters/krb-wg-charter.html working group] at the [[IETF]] with many more documents. Microsoft's usage is documented in RFC 3244 and RFC 4757.  
The Kerberos protocol is specified in RFC 4120. There is an active [http://www.ietf.org/html.charters/krb-wg-charter.html working group] at the [[IETF]] with many more documents. Microsoft's usage is documented in RFC 3244 and RFC 4757.  


There is a [http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html FAQ]. IBM provide a [http://www.ibm.com/developerworks/ibm/library/it-kerbero.html Kerberos primer].
There is a [http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html FAQ]. IBM provide a [http://www.ibm.com/developerworks/ibm/library/it-kerbero.html Kerberos primer].
==Architecture==
The separation of credentialing from authentication is not part of all authentication systems, but offers the ability to separate the administration of those two functions, which is a check-and-balance for personnel security of administators.
==Vendor use==
==Vendor use==
Kerberos has been used (not without controversy [http://slashdot.org/article.pl?sid=00/05/02/158204]) by all versions of [[Microsoft Windows]] since [[Windows 2000]] [http://technet.microsoft.com/en-us/library/bb742431.aspx]. It is also used by various Unix-based systems, including [http://www.sun.com/security/kerberos/index.jsp Sun], [http://developer.apple.com/opensource/kerberosintro.html Apple], [https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1417AA HP] and [http://www.ibm.com/developerworks/ibm/library/it-kerbero.html IBM].
 
Kerberos is used in various Unix-based systems, including [http://www.sun.com/security/kerberos/index.jsp Sun], [http://developer.apple.com/opensource/kerberosintro.html Apple], [https://h20392.www2.hp.com/portal/swdepot/displayProductInfo.do?productNumber=T1417AA HP] and [http://www.ibm.com/developerworks/ibm/library/it-kerbero.html IBM]. It has been used in all versions of [[Microsoft Windows]] since [[Windows 2000]] [http://technet.microsoft.com/en-us/library/bb742431.aspx].
 
There was considerable controversy [http://slashdot.org/article.pl?sid=00/05/02/158204] over Microsoft's usage. Basically, they took the [[Open Source]] tool, added "enhancements" that made their version incompatible with everyone else's, and tried to impose licensing conditions on their code that would have made it very difficult for anyone to write a compatible version. You could not even see the specification without signing a [[non-disclosure agreement]].
 
==References==
==References==
{{reflist}}
{{reflist}}[[Category:Suggestion Bot Tag]]

Latest revision as of 06:00, 8 September 2024

This article may be deleted soon.
To oppose or discuss a nomination, please go to CZ:Proposed for deletion and follow the instructions.

For the monthly nomination lists, see
Category:Articles for deletion.


This article is developing and not approved.
Main Article
Discussion
Related Articles  [?]
Bibliography  [?]
External Links  [?]
Citable Version  [?]
 
This editable Main Article is under development and subject to a disclaimer.

Kerberos is a networked authentication system developed at the Massachusetts Institute of Technology.[1], A central trusted "ticket-granting server" provides "tickets" which allow other machines to authenticate each other. Granting of specific rights, called credentialing, to authenticated machines can be by a separate secure server.

Specifications and documentation

The Kerberos protocol is specified in RFC 4120. There is an active working group at the IETF with many more documents. Microsoft's usage is documented in RFC 3244 and RFC 4757.

There is a FAQ. IBM provide a Kerberos primer.

Architecture

The separation of credentialing from authentication is not part of all authentication systems, but offers the ability to separate the administration of those two functions, which is a check-and-balance for personnel security of administators.

Vendor use

Kerberos is used in various Unix-based systems, including Sun, Apple, HP and IBM. It has been used in all versions of Microsoft Windows since Windows 2000 [1].

There was considerable controversy [2] over Microsoft's usage. Basically, they took the Open Source tool, added "enhancements" that made their version incompatible with everyone else's, and tried to impose licensing conditions on their code that would have made it very difficult for anyone to write a compatible version. You could not even see the specification without signing a non-disclosure agreement.

References