Notes on Kerberos

Kerberos is a network authentication system suitable for enterprise-wide authentication and with several nice security properties, such as never sending the user's password off their local system and negotiation of encryption algorithms so that newer, stronger ones can be added. I used to maintain Stanford's central Kerberos realms and am still the lead developer on various Kerberos infrastructure applications used at Stanford.

There is a paucity of good information about solving practical problems with Kerberos on the web, despite the fact that both Microsoft and Apple now support it quite well and it has significant advantages over other authentication systems such as checking passwords against LDAP. I'll try to add more information here as I do further work with Kerberos for various projects.

Here are slides from presentations I've given about Kerberos and web authentication:

• Stanford Web Authentication Overview (PDF, TeX) (2006)
• Wallet: Secure Data Distribution and Management (PDF, TeX) (2006)
• Kerberos and PAM (PDF, TeX) (2007)
• Wallet: 2008 Update (PDF, TeX) (2008)
• The Murky Tangle of Web Authentication (PDF, TeX) (2011)

You may also want to look at the Kerberos-related software available from my software page.