Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Security Software

MIT Launching Kerberos Consortium 62

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"
This discussion has been archived. No new comments can be posted.

MIT Launching Kerberos Consortium

Comments Filter:
  • Kerberos (Score:4, Insightful)

    by gravos ( 912628 ) on Monday September 17, 2007 @05:39PM (#20644311) Homepage
    For the first time, Kerberos will have an official home, supported by MIT and other Consortium members. This is a good thing no matter how you look at it.
    • Re:Kerberos (Score:4, Funny)

      by LiquidCoooled ( 634315 ) on Monday September 17, 2007 @05:41PM (#20644341) Homepage Journal
      It might now have a home, but it won't be able to enter it without someone to vouch for its identity.
      • And it better not arrive too early or too late if it want's to come in.
      • At least back in the 1990s, when the US government was pretending that its rules against publishing crypto were to keep Commies from getting it, you weren't allowed to export the full Kerberos system, but you could export "Bones" subsets that had the crypto routines removed, which was enough to duplicate the protocols once you ftp's the DES code from Finland or whatever.

        The US seems to be a lot more flexible now about not harassing code websites, and John Gilmore and the EFF beat them up by building a machi

  • by Anonymous Crowbar ( 692255 ) on Monday September 17, 2007 @05:46PM (#20644397) Homepage
    With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.
    • by ackthpt ( 218170 ) * on Monday September 17, 2007 @05:51PM (#20644451) Homepage Journal

      With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

      Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

      Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

      • by Anonymous Crowbar ( 692255 ) on Monday September 17, 2007 @06:09PM (#20644723) Homepage
        From the FAQ http://www.kerberos.org/about/FAQ.html [kerberos.org] Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.
        • MIT: Whitewash much? (Score:4, Informative)

          by Kadin2048 ( 468275 ) * <slashdot@kadin.xoxy@net> on Tuesday September 18, 2007 @12:36AM (#20647957) Homepage Journal
          I wonder who wrote that tripe, the MS legal team? And I wonder how much they paid MIT for the privilege.

          Truth be told, there was a big falling out between MS and MIT over Kerberos. Microsoft, as they are wont to do, tried to take Kerberos and proprietize it. The MIT guys said "not so fast," and took them to court over it. On the eve of what most assumed would be a judgment not in their favor, Microsoft suddenly had an 11th-hour change of heart and revealed their changes (although with poison-pill licensing terms attached, at least initially).

          From an article [networkworld.com] published in 2000:

          Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed. ... "They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior." ... Microsoft's implementation of Kerberos seems a textbook example of [embrace, extend, extinguish]. ... The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system. (Emphasis mine)
          "Joint proposal" my ass. Microsoft got dragged into that kicking and screaming. They would have buried Kerberos long ago if they had gotten their way.

          As an eventual result of this, some of Microsoft's changes were written up as an (informational, non-standards-track) RFC [ietf.org], which takes pains to repeat, over and over, that Microsoft's implementation was compatible with the original. The monopolist doth protest too much, I think.
          • by KidSock ( 150684 )
            This is a highly twisted version of reality. The "undefined field" you mention is the authorization-data field in Kerberos tickets. That field is designed to contain application specific data such as groups and information about the user and that is precisely what MS used it for. No foul there. The structure they put in the authorization-data field is called the Privileged Attribute Certificate (PAC). The problem was that MS stated that the PAC was proprietary and that no one could implement it. I'm not sur
    • Re: (Score:2, Interesting)

      by EvanED ( 569694 )
      You do realize there's plenty of history you can look at for what they might do regarding kerberos, right? It's been there since Windows 2000.

      (Actually my OS prof last semester was one of the developers on the W2K kerberos stuff.)
  • Party! (Score:4, Funny)

    by brilinux ( 255400 ) on Monday September 17, 2007 @05:49PM (#20644425) Journal
    Maybe I will go... I can bring magic cookies!
  • by erroneus ( 253617 ) on Monday September 17, 2007 @05:53PM (#20644481) Homepage
    ...so why not me?

    Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?
    • by KidSock ( 150684 ) on Monday September 17, 2007 @06:26PM (#20644919)
      Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

      MS and the MIT Kerberos crowd get along just fine. I believe the things MS did are generally thought of as good. Some are starting to make it into the Kerberos distros (e.g. I think Heimdal has support for constrained delegation). The PAC business was a little overblown. The Samba guys were able to figure out how to sign the PAC from the doc MS provided and with some carefull network analysis. Of course the Samba guys are not happy overall. I don't know if they have a problem with their Kerberos code but other modes of communication and the semantics to go with are not adequately documented.
      • Re: (Score:3, Interesting)

        by mvdwege ( 243851 )

        The Samba guys were able to figure out how to sign the PAC from the doc MS provided

        You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

        Mart
        • by KidSock ( 150684 )
          You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

          No, I mean this:

          http://msdn2.microsoft.com/en-us/library/aa302203.aspx [microsoft.com]

          When it was first released they tried to claim no one could implement it. But that was knocked down to an un-naturally long copyright statement and a copyright statement only covers the
          • by mvdwege ( 243851 )

            The document you're talking about was the CIFS spec wrapped in a Windows help file.

            No, I am talking about the self-extracting CAB file mentioned in this [slashdot.org] discussion. The spec you link to may be the same document, but it is undeniable that Microsoft did try to publish it under an EULA that essentially forbade using any of that information to implement the PAC for yourself.

            Mart

          • I find your flippant attitude towards deplorable business conduct aimed at preventing competition appalling. You really need to spend some time observing the efforts of FOSS projects to provide an open and level playing field, then contrast what you learn with Microsoft's persistent efforts to stifle all competition. While you are at it, stop rewriting history to make it sound as if there never was a conflict.

            You seem to be in denial, like a woman who refuses to believe her husband is a mobster. It is time
    • Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone?

      After so much screaming, Microsoft backed down and made their changes available and open.
  • I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...
    • by ackthpt ( 218170 ) *

      I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...

      Software they trust, it's people [wikipedia.org] ...

    • MS Active Directory uses it, so it is everyflippenwhere - hundreds of millions of machines use it.
  • by Zombie Ryushu ( 803103 ) on Monday September 17, 2007 @07:16PM (#20645513)
    As I have demonstrated from some of my previous posts, Kerberos is indispensable in the network administration infrastructure in the Linux world, it connects to SSH, Samba, Apache, and god knows what else. Its something no Linux Admin should be without knowledge of. The MIT Kerberos implementation has been behind for years because of their refusal to implement LDAP support until now. I'm just glad Kerberos finally gets a standard LDAP Connector. I'm sick of having to maintain one database for Kerberos and LDAP for everything else.

    Still, Kerberos rocks my world. I couldn't do without it.
    • Re: (Score:3, Funny)

      by Just Some Guy ( 3352 )

      As I have demonstrated from some of my previous posts

      Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

      • by sharkey ( 16670 )

        Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

        QED

  • The Kerberos Konsortium?
  • I still don't fully grasp this - perhaps someone can explain.

    What does Kerberos+LDAP give you that LDAP on its own doesn't? My reading is that with kerberos-capable client software, once the user's entered their password once for one thing they don't have to for everything else - at least until their token expires - but ICBW.
    • Re: (Score:3, Insightful)

      by Nurgled ( 63197 )

      LDAP is just a directory protocol. Kerberos is a network-wide authentication protocol. I'm a little rusty on Kerberos myself, but I believe the following summary to be a reasonable description of what Kerberos does:

      Kerberos is basically an infrastructure which applies cryptography to the problems of intra-domain and inter-domain authentication. It is based around the concept of "tickets", which are cryptographic tokens that can be presented to services in order to authenticate. Each ticket is applicable on

      • by jimicus ( 737525 )
        I will confess that I don't know precisely how these two things operate, but I'm sure you can find out more via Google if you're interested.

        I am, but the difficulty I've been facing is getting an idiot's introduction to it. Most seem to assume you already know all about how it works.

        The other thing I notice is that it alleviates the problem of passwords or hashes of passwords flying around the network in the clear. But I'd imagine that's a bit less of an issue if everything runs over SSL.
        • by Goatbag ( 451902 )
          I am, but the difficulty I've been facing is getting an idiot's introduction to it. Not an idiot's introduction, but one that doesn't assume prior knowledge [mit.edu]. A little outdated, but that's the basic idea.
        • In one sense, Kerberos was a way of doing secure communication & authentication before PKI-based schemes like SSL became popular. It only used symmetric encryption, so required the central ticket granting service. Newer standards are incorporating assymmetric encryption to make the protocol even stronger against attack....

          Kerberos is a bit rough to understand at first. The documentation exists out there (Microsoft has some of the better stuff), but it can be pretty detailed if you're not comforta
      • C:\>klist tickets
        'klist' is not recognized as an internal or external command,
        operable program or batch file.
        C:\>
        • by Nurgled ( 63197 )

          It would appear that klist.exe actually comes from the Windows Network Resource Kit rather than being in Windows itself. Sorry.

    • by amsr ( 125191 )
      What does Kerberos+LDAP give you that LDAP on its own doesn't?

      Security. LDAP by itself stores passwords in the user record in the directory. Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion. Passwords are never sent over the network.
      • Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion.

        This is true in general, too. Rather than coming up with some convoluted auth scheme on your own, you can just standardize on Kerberos for your application and trust that other people who know a lot more about this than I ever will have gotten it right.

        In one sense, it's a single point of failure. In other, it means that you only have to get it right one time and everything else can take advantage of it.

  • I thought they were a widget set. Or do they name anything Athena that comes out of MIT, thinking it's nice and Greek an' all ?
    • Any Project Athena historians around?

      Athena involved setting up a network of workstations so that you could log onto any one of them and have access to your home directory, mail, etc. as if they were local to that machine.

      This doesn't sound like a big deal until you find out that it started in 1983. Kerberos and X are children of Project Athena.

      Wikipedia is your friend: Project Athena [wikipedia.org]

      • by krog ( 25663 )
        Project Athena's goal was, roughly speaking, to allow any user to walk up to any machine and log in, and be greeted with their files, apps, customizations, etc. This involved the creation of a windowing system which supported network operation (X Window System), centralized authentication service (Kerberos), centralized directory service (Hesiod), and also the integration of a networked file system (first NFS, then AFS).

        This is a simplification and Athena has grown up quite a bit in the two dozen or so yea
  • ...but only if your timepiece matches theirs.
  • IMHO the future direction taken with Kerberos [wikipedia.org] should be merging the protocol into LDAP [wikipedia.org] (e.g. for the future LDAPv4 revision of LDAP protocol).

    Here's my rationale behind this: The problem with Kerberos being a distinct protocol from LDAP is that the distinction causes lots of confusion among the implementors, system architects, developers and administrators. This results in lots of cases where the two protocols are misused.

    The correct distinction should be that you use Kerberos for authentication (that

    • I'd agree with the above: LDAP/GSSAPI/SASL is a challenge to set up correctly and administer using FOSS components. I had a test system similar to the above at my work site, but it looks like it's going to be a non-flier now that the bosses have seen what Active Directory has to offer specifically in terms of account-management and replication. This is a shame because it means that control over authentication to unix platforms will now be placed in the hands of the AD admins.

Your password is pitifully obvious.

Working...