2.2 Directories

A common misconception surrounding Kerberos and other authentication technologies is that they somehow replace directories, such as the Unix etcpasswd file, NIS, NetInfo, or LDAP. Along the same lines, another common misconception is that directories make good authentication systems by themselves. Therefore, a distinction needs to be made between authentication, authorization, and directories. For a real-life analogy of what roles each of these components play, see the sidebar Confusing Authentication, Authorization, and Directories . Directories contain data describing resources, such as computers, printers, and user accounts that are contained within a particular network. Directories can be as simple as a text file, such as the etcpasswd and etcgroup files on traditional Unix systems, which list the active user accounts and their group permissions. Or a directory can be a complex LDAP directory structure, such as Microsofts Active Directory. Directories can contain authentication data. Authenticating against a directory takes two forms: a client machine can contact a directory, obtain the hashed version of the users password, hash the password given by the user, and compare the two. This method is used by NIS, for example. The other form, employed by most LDAP authentication mechanisms, is to attempt to bind to the LDAP directory using the credentials that the user provided. If the user is granted access to the directory, the authentication is successful. The pam_ldap PAM module uses this latter method to authenticate against an LDAP directory. Using Kerberos to handle authentication is superior to these methods for several reasons: • • Using Kerberos tickets, users can be granted single-sign-on access to all network resources without requiring the client machine to cache the users password. Kerberos tickets are cryptographic messages that are only valid for a relatively short period of time, typically 8-24 hours. The compromise of a users password, on the other hand, provides an attacker the ability to masquerade as the legitimate user for a much longer period of time—specifically, until the password is changed or expires. • • With Kerberos, the users password is never sent in the clear over the network during the login process. • • Kerberos defines a widely adopted and standardized protocol that is suited for authentication. Therefore, while a directory may contain authentication information for example, Microsofts Active Directory stores the Kerberos database in its LDAP store, it is preferable to use Kerberos to perform authentication rather than using the directory for authentication directly. [ Team LiB ] [ Team LiB ]

2.3 Privacy and Integrity