1.5 Other Products

Many other products have been developed that either directly implement the Kerberos protocols or borrow concepts from Kerberos to implement similar authentication systems. We'll take a brief look at these alternative systems, and discuss the relationship between these systems and Kerberos.

1.5.1 DCE

The Distributed Computing Environment, or DCE, is a set of libraries and services that enable organizations to build cross-platform, integrated computing environments. It includes components that enable applications to communicate across a diverse set of platforms and securely locate and access information, whether it's in the same room on a local network or across the globe over the Internet. DCE provides many services to make this possible, including directory services, remote procedure calls, and time-synchronization. Most notable to our discussion, it provides a security service, which just happens to be based on Kerberos 5.

Work on DCE began in 1989, and was developed through a committee of vendors who have submitted various bits and pieces. The work was coordinated by The Open Group, an organization that is most widely known for the Motif widget set. Unfortunately, while the concepts that underlie DCE were revolutionary and ahead of their time, DCE was difficult to install and administer, and early versions were riddled with bugs. Today, DCE itself is not in wide use, but the concepts behind it have been integrated in most modern operating systems today, including Windows 2000 and above.

In 1997, The Open Group released the source code to the latest version of DCE, 1.2.2, to download for free from their web site. More information on DCE, including information on how to download Free DCE, can be found at http://www.opengroup.org/dce/.

1.5.2 Globus Security Infrastructure

The Globus Security Infrastructure is part of a larger project, the Globus Toolkit. The goal of the Globus Toolkit is to develop services that enable grid computing, also known as High Performance Computing (HPC) or compute clusters. Globus includes services to locate people and resources on the network, as well as submit and control compute jobs running on machines in the network. In order to perform its tasks securely, however, it needed a secure authentication and privacy mechanism. The Globus Security Infrastructure, or GSI, is the Globus Toolkit's implementation of a secure authentication system.

While the GSI operates under different principles than Kerberos, most notably through its use of public key encryption and infrastructure, it provides the same single-sign-on user experience that Kerberos does. In addition, the developers of Globus recognized the need for interoperability with existing Kerberos installations, so the Globus team has developed several tools that allow interoperability between Kerberos tickets and Globus certificates.

More information is available about the Globus Toolkit at http://www.globus.org/.

1.5.3 SESAME

The Secure European System for Applications in a Multivendor Environment, or SESAME, is a research and development project funded by the European Commission. SESAME implements a single-sign-on protocol that is similar to and compatible with Kerberos, but includes some enhancements. Most notably, SESAME includes the concept of limited delegation—that is, the ability to delegate only some privileges to another machine or user. This allows users to exercise fine-grained control over how their credentials are used by servers. For example, an end user can delegate her credentials to a mail server, but limit the mail server from using her credentials to delete her files.

Unfortunately, there is little information available on SESAME, and the installed user base is small, mostly consisting of developers using the system for further research. The software has few sample applications, and the ones that are available are difficult to compile due to the need to change hardcoded values in the source code in order to build. Information about SESAME can be found at its home page at https://www.cosic.esat.kuleuven.ac.be/sesame/.