| Red Hat Linux 7.0: The Official Red Hat Linux Reference Guide | ||
|---|---|---|
| Prev | Chapter 8. Using Kerberos 5 on Red Hat Linux | Next |
Kerberos removes a common security threat, so why isn't it in use on every network? For several reasons, Kerberos may be difficult to implement:
No quick "script-o-matic" solution exists for migrating user passwords from a standard UNIX password database to a Kerberos password database. Migration is technically feasible, but conversion scripts aren't provided with Kerberos. See the Kerberos FAQ Question 2.23 for more detailed information on this issue.
Kerberos is only partially-compatible with the Pluggable Authentication Modules (PAM) system used by most servers on Red Hat Linux. For more information on this issue, see the section called Kerberos and Pluggable Authentication Modules (PAM).
For an application to use Kerberos, its sources must be modified to make the appropriate calls into the Kerberos libraries. For some applications, this may require too much programming effort. For other applications, changes must be made to the protocol used between network servers and their clients; again, this may require too much effort. Furthermore, it may be impossible to make certain closed-source applications work with Kerberos.
Finally, if you decide to use Kerberos on your network, you must realize that it is an all-or-nothing proposition. If any services that transmit plaintext passwords remain in use, passwords can still be compromised, and your network gains no net benefit from the use of Kerberos. To secure your network with Kerberos, you must either kerberize (i.e., make it work with Kerberos) all applications that send plaintext passwords or stop using those applications on your network.