Re: looking for a good source to start learning about kerberos

To: Debian Security <debian-security@lists.debian.org>
Subject: Re: looking for a good source to start learning about kerberos
From: Rick Moen <rick@linuxmafia.com>
Date: Thu, 20 Mar 2003 03:26:38 -0800
Message-id: <[🔎] 20030320112638.GO29879@linuxmafia.com>
In-reply-to: <[🔎] 20030320121823.4c94be29.haim@consonet.com>
References: <[🔎] 20030320121823.4c94be29.haim@consonet.com>

Quoting Haim Ashkenazi (haim@consonet.com):

> After reading the responses for my email about NIS security, I was
> convinced that it's time to learn about ldap w/kerberos. In the
> ldap-howto's I've read there were references to kerberos by MIT and
> hemidal. looking in my aptitude list I saw a lot of packages with
> different versions of kerberos and I've got a little confused. I was
> wondering what would be a good place to start with kerberos (keeping
> in mind that my main interest is to combine it with ldap)?

My information on this subject is a little out of date, and I was never
all that well informed on it, but I'll give it a try, anyway.

Researchers at the Swedish Royal Institute of Technology (KTH = Kungliga
Tekniska HÃ¶gskola), working from freely available informatin about
Kerberos, such as had reached the international community from MIT's
Project Athena, before pressure from US spook agencies caused a
clampdown on "export" of information about strong cryptography.  So, KTH
Kerberos, aka Heimdal, was an implementation of the 1987 Kerberos v4
spec, which used DES encryption.  (The earlier three versions were
development-only.)

Meanwhile, MIT researchers were proceeding through 1990-91 in creating
the Kerberos v5 spec and reference implementation, i.e., MIT Kerberos,
introducing 3DES and other newer types of authentication.  Until late in
the 1990s, this code and knowledge of it in theory could not be legally
"exported" from the USA, despite it being publicly documented in RFC
1510 and 1509.  

Of late, the KTH people have managed, either thanks to the relative
lifting of "export" paranoia, or entirely on their own efforts, to
implement Kerberos v5[1], as well.  How do they now compare, and how
interoperable are they?  Beats me.  Maybe someone else will comment.

[1] Which is a damned good thing, since researchers found a protocol
flaw in Kerberos v4 authentication, making possible successful
dictionary attacks:  S. M. Bellovin and M. Merritt, "Limitations of the
Kerberos Authentication System", Proceedings of the 1991 USENIX
Conference, Dallas, TX 1991.

-- 
Cheers,               A host is a host, from coast to coast.
Rick Moen             And nobody talks to a host that's close,
rick@linuxmafia.com   Unless the host that isn't close is busy, hung, or dead.

Reply to:

References:
- looking for a good source to start learning about kerberos
  - From: Haim Ashkenazi <haim@consonet.com>

Prev by Date: Re: Re: is iptables enough?
Next by Date: Re: iptables help to forward ports please
Previous by thread: looking for a good source to start learning about kerberos
Next by thread: Re: looking for a good source to start learning about kerberos
Index(es):
- Date
- Thread