MIT Launching Kerberos Consortium

alphadogg writes to tell us that next week MIT will be throwing a 20th birthday party for their Kerberos authentication system. In celebration of this milestone they will also be launching a new consortium dedicated to preserving and evolving this standard for years to come. "Kerberos, originally created for MIT's Project Athena, is used mainly by enterprises and MIT's goal is to see the IETF security standard develop into a universal system for single sign-on. [...] 'Kerberos has.... become successful beyond MIT's internal capacity to respond to the world's demands for development, testing and support. So we need a new organizational structure that can accommodate the demand.'"

Kerberos

[gravos]

For the first time, Kerberos will have an official home, supported by MIT and other Consortium members. This is a good thing no matter how you look at it.

Re:Kerberos

[LiquidCoooled]

It might now have a home, but it won't be able to enter it without someone to vouch for its identity.

Re:

[Anonymous Crowbar]

And it better not arrive too early or too late if it want's to come in.

US Export Laws and Kerberos

[billstewart]

At least back in the 1990s, when the US government was pretending that its rules against publishing crypto were to keep Commies from getting it, you weren't allowed to export the full Kerberos system, but you could export "Bones" subsets that had the crypto routines removed, which was enough to duplicate the protocols once you ftp's the DES code from Finland or whatever.

The US seems to be a lot more flexible now about not harassing code websites, and John Gilmore and the EFF beat them up by building a machi

And how wil MS influence this?

[Anonymous Crowbar]

With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

Re:And how wil MS influence this?

[ackthpt]

With MS embedding thier version of Kerberos into their OS's it's fairly certain they will try to influence the direction of this in thier favor. Just something to watch out for.

Didn't we just cover this aspect of MS embedding crap in the EU ruling? They can do it in the US, perhaps Asia, but the EU will be telling them to OPEN UP. So if I wanted to use my own authentication system in the OS I should be able to, not Microsoft's.

Oranisational Restructuring: "No, you want Bodkin, he shuffles orange and white papers, I now shuffle green and baby blue papers. Yellow and tan papers are down the hall to the left, shuffled by Morris."

Re:And how wil MS influence this?

[Anonymous Crowbar]

From the FAQ http://www.kerberos.org/about/FAQ.html [kerberos.org] Didn't you guys have some kind of big falling out with Microsoft around Kerberos? "We read about that, but MIT and Microsoft have a long history of working together on Kerberos. This history starts well before the release of Windows 2000. Since then, MIT and Microsoft have been working on standardizing some of the features such as realm referral that enhance the ease of configuration of the Active Directory product. To this day, MIT and Microsoft continue to work together on Kerberos standards. The most recent effort involves a joint proposal to protect Kerberos against weak passwords and provide enhanced user privacy. MIT and Microsoft have made a proposal and are working within the standards community to build consensus around this proposal." Not sure how easy it is to replace Kerberos in Microsoft OS, the fact is with all the companies I've worked with globally, all of them were just using Kerberos in AD since it was there. Sure, you can turn it off and replace it with another option but cost wise it doesn't make sense...and I would imagine in most cases there would not be a need to as well.

MIT: Whitewash much?

[Kadin2048]

I wonder who wrote that tripe, the MS legal team? And I wonder how much they paid MIT for the privilege.

Truth be told, there was a big falling out between MS and MIT over Kerberos. Microsoft, as they are wont to do, tried to take Kerberos and proprietize it. The MIT guys said "not so fast," and took them to court over it. On the eve of what most assumed would be a judgment not in their favor, Microsoft suddenly had an 11th-hour change of heart and revealed their changes (although with poison-pill licensing terms attached, at least initially).

From an article [networkworld.com] published in 2000:

Slammed in a court brief for the proprietary way it implements the Kerberos Web security standard in Windows 2000, Microsoft (MSFT) has moved to reassure customers and disarm critics by publishing the formerly secret details of its version of Kerberos - just one day before the brief was filed. ... "They don't want anyone competing against them," says Paul Hill, co-leader of the Kerberos team at MIT, where the security standard was developed. "It's typical Microsoft behavior." ... Microsoft's implementation of Kerberos seems a textbook example of [embrace, extend, extinguish]. ... The version of Kerberos in every Windows 2000 PC formally complies with the standard specification. It also takes advantage of an undefined field in the spec to store authorization data for Microsoft's operating system. (Emphasis mine)

"Joint proposal" my ass. Microsoft got dragged into that kicking and screaming. They would have buried Kerberos long ago if they had gotten their way.

As an eventual result of this, some of Microsoft's changes were written up as an (informational, non-standards-track) RFC [ietf.org], which takes pains to repeat, over and over, that Microsoft's implementation was compatible with the original. The monopolist doth protest too much, I think.

Re:

[KidSock]

This is a highly twisted version of reality. The "undefined field" you mention is the authorization-data field in Kerberos tickets. That field is designed to contain application specific data such as groups and information about the user and that is precisely what MS used it for. No foul there. The structure they put in the authorization-data field is called the Privileged Attribute Certificate (PAC). The problem was that MS stated that the PAC was proprietary and that no one could implement it. I'm not sur

Re:

[EvanED]

You do realize there's plenty of history you can look at for what they might do regarding kerberos, right? It's been there since Windows 2000.

(Actually my OS prof last semester was one of the developers on the W2K kerberos stuff.)

Party!

[brilinux]

Maybe I will go... I can bring magic cookies!

Re:

[mrogers]

They won't let you in without a ticket. :-/

Someone has to ask it...

[erroneus]

...so why not me?

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

Re:Someone has to ask it...

[KidSock]

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone? Will the Kerberos consortium take whatever Microsoft did into account so as not to break what other people have done to work with and around Microsoft?

MS and the MIT Kerberos crowd get along just fine. I believe the things MS did are generally thought of as good. Some are starting to make it into the Kerberos distros (e.g. I think Heimdal has support for constrained delegation). The PAC business was a little overblown. The Samba guys were able to figure out how to sign the PAC from the doc MS provided and with some carefull network analysis. Of course the Samba guys are not happy overall. I don't know if they have a problem with their Kerberos code but other modes of communication and the semantics to go with are not adequately documented.

Re:

[mvdwege]

The Samba guys were able to figure out how to sign the PAC from the doc MS provided

You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

Mart

Re:

[KidSock]

You mean the doc that came as a self-extracting archive that presented an EULA that looked suspiciously like an NDA? A license that was eventually dropped after much screaming from the rest of the computing world in the direction of Seattle?

No, I mean this:

http://msdn2.microsoft.com/en-us/library/aa302203.aspx [microsoft.com]

When it was first released they tried to claim no one could implement it. But that was knocked down to an un-naturally long copyright statement and a copyright statement only covers the

Re:

[mvdwege]

The document you're talking about was the CIFS spec wrapped in a Windows help file.

No, I am talking about the self-extracting CAB file mentioned in this [slashdot.org] discussion. The spec you link to may be the same document, but it is undeniable that Microsoft did try to publish it under an EULA that essentially forbade using any of that information to implement the PAC for yourself.

Mart

Re:

[dunng808]

I find your flippant attitude towards deplorable business conduct aimed at preventing competition appalling. You really need to spend some time observing the efforts of FOSS projects to provide an open and level playing field, then contrast what you learn with Microsoft's persistent efforts to stifle all competition. While you are at it, stop rewriting history to make it sound as if there never was a conflict.

You seem to be in denial, like a woman who refuses to believe her husband is a mobster. It is time

Re:

[evilviper]

Long ago, people were all upset when Microsoft did the ole embrace and extend thing with Kerberos. I haven't heard much about that for years. Has it been a problem for anyone?

After so much screaming, Microsoft backed down and made their changes available and open.

Used in national labs

[InvisblePinkUnicorn]

I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...

Re:

[ackthpt]

I don't know much about kerberos, but I do know that it has always been used in the national lab where I worked the last few years (Sandia Natl Labs). So apparently the government trusts it (not sure if that counts for anything)...

Software they trust, it's people [wikipedia.org] ...

Re:

[flyingfsck]

MS Active Directory uses it, so it is everyflippenwhere - hundreds of millions of machines use it.

Re:Laughably outdated

[KidSock]

My from-the-hip guess is that MIT has realized that they're a)dependent on Kerberos and b)nobody else uses it, so they need to generate some noise, make some unfounded claims, and hope to get some other people onboard. "Used in the enterprise"? Bull...

FYI: Kerberos is the standard authentication protocol used on just about every enterprise network on the planet. All Windows clients that are members of an Active Directory domain use Kerberos to authenticate with fileservers, web services, LDAP servers and just about anything else that has domain credentials. That's probably 80% of Enterprise users alone. And the rest are probably using NFS which is rapidly moving to Kerberos authn' for everything.

NFS v4 uses Kerberos

[ShaggyZet]

Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

http://developer.osdl.org/dev/nfsv4/site/architecture/ [osdl.org]

Re: NFS v4 uses Kerberos

[Dolda2000]

Here is Linux's NFS v4 architecture. Other implementation's use kerberos too. Kerberos is one of the major improvements to NFS v4.

In all honesty, though, Kerberos isn't precisely new to NFSv4, it's just that support for it has been mandated by NFSv4. Kerberos authentication is supported at the RPC layer, which is the same regardless if being used for NFSv4, v3, v2 or even portmapper, NIS or SGI FAM, if you will. AFAIK, Linux's NFSv2/3 implementation supports Kerberos authentication as well, ever since the support was added to support NFSv4. I shan't bet on it, but I think Solaris has supported Kerberos authentication for earlier NFS

Re:

[Anonymous Coward]

Yeah, dumbass. Kerberos is implemented in NFSv4, and it's the only robust way to secure NFS. You, sir, are a clueless slashtard.

Re:

[cpuh0g]

You are indeed a slashtard. Kerberos is a mandatory-to-implement feature in the NFSv4 spec and has been part of NFSv3 (optional feature) for many years. Kerberos is hardly outdated. You are a clueless, naive waife who has no real idea what is going on in the world of computer security if you think it is outdated and dying.

Re:

[19thNervousBreakdown]

Better authentication mechanisms? Like what?

Re:

[dkf]

Kerberos was nice when it came out, but there are better authentication mechanisms available out there.

Only in the specific case where you're going across domains in some way, and then only because serious security people (quite reasonably) get antsy about trusting each other Kerberos domain controllers deeply. But within a domain, Kerberos works nicely. (IIRC, it can work in harmony with SSH; if that was the "better authentication mechanism" then shame on you!)

Mind you, I don't use the Kerberized stuff at work that much, mostly because I prefer to keep everything I need local on a laptop so I can continue

Re:Laughably outdated

[secPM_MS]

I would not call Kerberos outdated. Kerberos is based upon the Needham-Schroeder (NS) secret key approach and provides a rather comparable functionality to public key approaches. NS needs key distribution servers and the associated ticket granting servers, but these are in a security sense equivalent to the CA's and RA's of the PKI world.You can build authentication architectures upon either. The NS approach is computationally more efficient than the RSA math typically used by PKI.

Kerberos is used extensively within Microsoft enterprise scenarios and is used in other non-Microsoft environments as well.

Both Kerberos and PKI present management difficulties as you try to expand across large numbers of domains / forests with diverse security policies.

If quantum computing ever truly breaks classic PKI approaches, the alternatives will be to develop PKI approaches that are more resistant to quantum attacks (problems are known that are believed to be resistant) and/or to use NS / Kerberos with doubled key length (quantum search attacks roughly square root the effective key size).

Just not true

[ShaggyZet]

Kerberos and SSH are not comparable technologies. If you must make a comparison, compare it to SSH's key mechanisms (host based, user key pairs, agents). In those cases there are pros and cons to be debated.

Kerberos's authentication isn't tied to a specific service and the same token can be used across a many daemons. In fact, SSH is one of the daemons supports Kerberos authentication (ie, is kerberized).

Kerberos can be a pain to setup, but once you take the time to understand how it works it's actually pre

Re:

[flyingfsck]

Nope, you are confusing authentication with stream encryption. One can even configure SSH to use Kerberos authentication!

Kerberos Rocks my world!

[Zombie Ryushu]

As I have demonstrated from some of my previous posts, Kerberos is indispensable in the network administration infrastructure in the Linux world, it connects to SSH, Samba, Apache, and god knows what else. Its something no Linux Admin should be without knowledge of. The MIT Kerberos implementation has been behind for years because of their refusal to implement LDAP support until now. I'm just glad Kerberos finally gets a standard LDAP Connector. I'm sick of having to maintain one database for Kerberos and LDAP for everything else.

Still, Kerberos rocks my world. I couldn't do without it.

Re:

[Just Some Guy]

As I have demonstrated from some of my previous posts

Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

Re:

[sharkey]

Do math teachers learn that phrase in math teacher school, is it that people who say things like that grow up to be math teachers?

QED

Re:

[Ajehals]

There is something beautiful about centralised, secure and redundant authentication, especially with SSO. So yeah, I totally agree.

Re:

[TeknoHog]

"The Kerberos Consortium" makes it sound a lot cooler than it actually is.

"The Kerberos Konsortium" would be even kooler.

Shouldn't that be...

[Graywolf]

The Kerberos Konsortium?

Can someone answer this?

[jimicus]

I still don't fully grasp this - perhaps someone can explain.

What does Kerberos+LDAP give you that LDAP on its own doesn't? My reading is that with kerberos-capable client software, once the user's entered their password once for one thing they don't have to for everything else - at least until their token expires - but ICBW.

Re:

[Nurgled]

LDAP is just a directory protocol. Kerberos is a network-wide authentication protocol. I'm a little rusty on Kerberos myself, but I believe the following summary to be a reasonable description of what Kerberos does:

Kerberos is basically an infrastructure which applies cryptography to the problems of intra-domain and inter-domain authentication. It is based around the concept of "tickets", which are cryptographic tokens that can be presented to services in order to authenticate. Each ticket is applicable on

Re:

[jimicus]

I will confess that I don't know precisely how these two things operate, but I'm sure you can find out more via Google if you're interested.

I am, but the difficulty I've been facing is getting an idiot's introduction to it. Most seem to assume you already know all about how it works.

The other thing I notice is that it alleviates the problem of passwords or hashes of passwords flying around the network in the clear. But I'd imagine that's a bit less of an issue if everything runs over SSL.

Re:

[Goatbag]

I am, but the difficulty I've been facing is getting an idiot's introduction to it. Not an idiot's introduction, but one that doesn't assume prior knowledge [mit.edu]. A little outdated, but that's the basic idea.

Re:

[Stu Charlton]

In one sense, Kerberos was a way of doing secure communication & authentication before PKI-based schemes like SSL became popular. It only used symmetric encryption, so required the central ticket granting service. Newer standards are incorporating assymmetric encryption to make the protocol even stronger against attack....

Kerberos is a bit rough to understand at first. The documentation exists out there (Microsoft has some of the better stuff), but it can be pretty detailed if you're not comforta

Re:

[pedestrian crossing]

C:\>klist tickets
'klist' is not recognized as an internal or external command,
operable program or batch file.
C:\>

Re:

[Nurgled]

It would appear that klist.exe actually comes from the Windows Network Resource Kit rather than being in Windows itself. Sorry.

Re:

[amsr]

What does Kerberos+LDAP give you that LDAP on its own doesn't?

Security. LDAP by itself stores passwords in the user record in the directory. Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion. Passwords are never sent over the network.

Re:

[Just Some Guy]

Kerberos abstracts the authentication mechanism out of the directory in a much more secure fashion.

This is true in general, too. Rather than coming up with some convoluted auth scheme on your own, you can just standardize on Kerberos for your application and trust that other people who know a lot more about this than I ever will have gotten it right.

In one sense, it's a single point of failure. In other, it means that you only have to get it right one time and everything else can take advantage of it.

Athena ?

[bytesex]

I thought they were a widget set. Or do they name anything Athena that comes out of MIT, thinking it's nice and Greek an' all ?

Project Athena

[Crispy Critters]

Any Project Athena historians around?

Athena involved setting up a network of workstations so that you could log onto any one of them and have access to your home directory, mail, etc. as if they were local to that machine.

This doesn't sound like a big deal until you find out that it started in 1983. Kerberos and X are children of Project Athena.

Wikipedia is your friend: Project Athena [wikipedia.org]

Re:

[krog]

Project Athena's goal was, roughly speaking, to allow any user to walk up to any machine and log in, and be greeted with their files, apps, customizations, etc. This involved the creation of a windowing system which supported network operation (X Window System), centralized authentication service (Kerberos), centralized directory service (Hesiod), and also the integration of a networked file system (first NFS, then AFS).

This is a simplification and Athena has grown up quite a bit in the two dozen or so yea

Re:

[bytesex]

A bit like Sun-rays then. Thanks for the info.

You can get tickets to the party....

[capmblade]

...but only if your timepiece matches theirs.

Kerberos needs some merging with LDAP

[the_olo]

IMHO the future direction taken with Kerberos [wikipedia.org] should be merging the protocol into LDAP [wikipedia.org] (e.g. for the future LDAPv4 revision of LDAP protocol).

Here's my rationale behind this: The problem with Kerberos being a distinct protocol from LDAP is that the distinction causes lots of confusion among the implementors, system architects, developers and administrators. This results in lots of cases where the two protocols are misused.

The correct distinction should be that you use Kerberos for authentication (that

Re:

[DecayingInsect]

I'd agree with the above: LDAP/GSSAPI/SASL is a challenge to set up correctly and administer using FOSS components. I had a test system similar to the above at my work site, but it looks like it's going to be a non-flier now that the bosses have seen what Active Directory has to offer specifically in terms of account-management and replication. This is a shame because it means that control over authentication to unix platforms will now be placed in the hands of the AD admins.