7.1 What Does Kerberos Support Mean?

There are essentially two "types" of Kerberos support that a client/server application can implement. The first, and unfortunately, most common is for the client to send the server the user's Kerberos password in plain text. The server then acquires a TGT on the user's behalf (and hopefully verifies that the TGT is valid by also acquiring a service ticket for itself—see the description of the man-in-the-middle attack in Chapter 6 for details on why this is important). This method has a distinct advantage: most protocols that require authentication only support simple, plain text username and password authentication. Even if the protocol is extensible enough to support stronger authentication methods, these stronger authentication methods are usually not widely supported by the variety of clients in use. This method, of course, has the disadvantage of sending the user's credentials in plain text over the network. Since Kerberos is designed as a single-sign-on solution, exposure of a user's credentials in this way is even more dangerous since the same username and password is accepted for authentication by other Kerberos-enabled services. Finally, this method does not allow for a true single-sign-on solution; instead, it provides users with a single login and password that they have to enter multiple times.

The other method of supporting Kerberos authentication is what I'll call "native" Kerberos authentication support. Native Kerberos authentication support provides a true single-sign-on capability, in which users can login once to their local workstation, and acquire service tickets for Kerberos-enabled servers throughout the day. This requires special support on both the client and server so that the Kerberos tickets are communicated in a secure manner. This method provides for a superior user experience: the user only has to enter her credentials once per login session. Further authentication to Kerberos-enabled services is handled transparently, without user intervention. However, native Kerberos support in client applications is still not widespread, and may require users to change to a client application does support Kerberos.

Our primary focus in this chapter is to enable native Kerberos support for popular applications. However, there are still some protocols where support for native Kerberos authentication is not currently possible or is not widely available. We will discuss how to use the Kerberos 5 PAM modules to add Kerberos 5 password verification support to those protocols.