لطفا منتظر باشید ...
When to Run a
Kerberos Server
Tools like firewalls (discussed in
Configuring iptables) are designed to protect a computer or network from the
outside world, or to protect the outside world from miscreants inside a local
network. Kerberos, on the other hand, is an internal
security toolit helps both servers and clients be sure that they're communicating
with the proper systems and users, and to protect passwords so that they can't
be stolen and abused by other local network users. (Kerberos can also improve
external security by providing encryption to external users who need access to
internal servers.) Simultaneously, Kerberos provides convenienceby
centralizing the password database, Kerberos allows a user to log in to any
workstation on a network and enter a login password only once, obviating the
need to enter passwords for POP mail servers, FTP servers, and other local
servers that would otherwise require passwords.These features make Kerberos a very useful
tool on mid-sized and large local networks, such as those operated by many
colleges, universities, and corporations. Such networks frequently host mail
servers, print servers, and the like internally, and allow users to log in to
workstations at many locations. Rather than maintain a centralized computer
system with terminals, users at these organizations use more powerful
workstations. On such a network, maintaining individualized password databases
is tedious at best, so Kerberos is a useful tool.Kerberos is a cross-platform tool; Kerberos
clients and servers can exist on Linux, other UNIX-like OSs, Windows, MacOS, or
many other OSs. (Microsoft's own Kerberos implementation, though, is subtly
incompatible with the standard version. The MIT Kerberos page includes links to
another implementation of Kerberos for Windows that is more compatible with the
standard version.) Cross-platform compatibility can be an extremely important
characteristic in many environments.
Centralized versus
Distributed Computing
In the late 1960s through much of the
1980s, UNIX systems were generally intended to be used by several people
simultaneously. These computers sat in machine rooms and were used via
text-mode terminals or, later, X terminals that provided GUI access. As
processing power became cheaper, a trend developed to place workstations on
all users' desks. The modern x 86 PC is a
manifestation of this trend.Today, most networks use a largely
decentralized computing model, with workstations running Windows, MacOS, or
occasionally Linux or some other UNIX variant. These computers may rely on
network servers such as mail servers, file servers, print servers, and so on,
but they do most of their processing locally. Such a network has a certain
advantage in robustness, because if a server goes down, chances are the rest
of the network will continue to operate. This distributed approach also means
that all users can count on a certain minimum amount of processing
powerwhatever's available on the local workstation. In simple networks like
this, users are often tied to specific computers, because they only have
passwords on their own computers. This is one of the problems that Kerberos
is intended to solve.Today's x 86
computers are far more powerful than the mainframes of just a couple of
decades ago, and it's possible to use them in a centralized computing
approach. A single powerful Linux system can run many users' programs. These
users can sit at much less powerful systems that function only as terminals,
using terminal software like that discussed in
Access with X and VNC Servers). Such an approach is vulnerable to problems
with the central system, though; if it goes down, the rest of the network
becomes useless. The centralized approach can be easier to administer,
though, and it may obviate the need for user management software like
Kerberos.
In most cases, the applications you use must
include explicit Kerberos support to take advantage of the tool. For instance,
your POP mail client and server must both support Kerberos authentication, or
they'll continue using their own authentication methods. This chapter covers
Kerberos configuration on Linux. This configuration can be used in conjunction
with non-Linux systems, but I don't cover configuring Kerberos clients in
Windows, MacOS, or other platforms.
