"This dialogue provides a fictitious account of the design of an open-network authentication system called "Charon." As the dialogue progresses, the characters Athena and Euripides discover the problems of security inherent in an open network environment. Each problem must be addressed in the design of Charon, and the design evolves accordingly. Athena and Euripides don't complete their work until the dialogue's close.
When they finish designing the system, Athena changes the system's name to "Kerberos," the name, coincidentally enough, of the authentication system that was designed and implemented at MIT's Project Athena. The dialogue's "Kerberos" system bears a striking resemblence to the system described in Kerberos: An Authentication Service for Open Network Systems presented at the Winter USENIX 1988, at Dallas, Texas."
I've worked in a handful of Unix environments in both academia and enterprise over the last 20 years but never actually used Kerberos. (Of course 20 years ago it was brand new, so that is at least part of it.) Is it gaining in popularity?
(From the two minutes of searching I just did, it sounds like Windows AD is actually based on Kerberos? If that's the case I guess it's super-widely used.)
Windows AD is Kerberos based with a gratuitous compatibility breaking change that I can't remember right now. We use Kerberos at work, and the FreeIPA project is Kerberos based. It doesn't really come into its own until you have many, many machines, probably at least fifty, but it isn't bad in the end. I have had many, many problems with FreeIPA but very few are due to it using Kerberos.
I suspect that I'm going to get out of my depth very quickly here, but I'm not sure what the gratuitous breaking change is that you're speaking of; relatively recent MIT or Heimdal krb5 implementations can interop with Active Directory with no problem that I'm aware of.
Some older implementations were lacking ciphers that Active Directory required. If this is what you're speaking of then I wouldn't classify it as a "breaking change", since cipher negotiation is meant to be - well - negotiated. Its gratuitousness may be more in question, but I'm certain it was for backward compatibility with NT Lan Manager password schemes. (Alas.)
The Windows 2000 KDC also adds extra authorisation data in tickets. It is at this point unclear what triggers it to do this. The format of this data is only available under a “secret” license from Microsoft, which prohibits you implementing it.
This makes/made? it difficult to have a Windows domain authenticate against an existing KDC; you needed to set up an AD server and then set up cross-domain trust relationships, which means you must have a Windows server on your network in order to support Windows AD clients.
Very interesting. I had a similar setup in a previous life without any issues, but the "it is at this point unclear what triggers it to do this" is ominous indeed, so it's possible I just went down the happy path where this sort of issue doesn't come up.
Designing an Authentication System: a Dialogue in Four Scenes http://web.mit.edu/Kerberos/dialogue.html
"This dialogue provides a fictitious account of the design of an open-network authentication system called "Charon." As the dialogue progresses, the characters Athena and Euripides discover the problems of security inherent in an open network environment. Each problem must be addressed in the design of Charon, and the design evolves accordingly. Athena and Euripides don't complete their work until the dialogue's close.
When they finish designing the system, Athena changes the system's name to "Kerberos," the name, coincidentally enough, of the authentication system that was designed and implemented at MIT's Project Athena. The dialogue's "Kerberos" system bears a striking resemblence to the system described in Kerberos: An Authentication Service for Open Network Systems presented at the Winter USENIX 1988, at Dallas, Texas."