Notes on Kerberos

Kerberos is a network authentication system suitable for enterprise-wide authentication and with several nice security properties, such as never sending the user's password off their local system and negotiation of encryption algorithms so that newer, stronger ones can be added. I maintain Stanford's central Kerberos realms and am the lead developer on various Kerberos infrastructure applications used at Stanford.

There is a paucity of good information about solving practical problems with Kerberos on the web, despite the fact that both Microsoft and Apple now support it quite well and it has significant advantages over other authentication systems such as checking passwords against LDAP. As I improve the technical documentation of Stanford's Kerberos environment, I'll add as much information as I can here.

Here are slides from presentations I've given or will be giving about Kerberos and web authentication:

• Kerberos and PAM (PDF, TeX)
• Stanford Web Authentication Overview (PDF, TeX)
• Wallet: Secure Data Distribution and Management (PDF, TeX)
• Wallet: 2008 Update (PDF, TeX)

There is a good writeup of installing and configuring Kerberos on Debian at the Debian Administration site.

You may also want to look at the Kerberos-related software available from my software page.