It is important to recognize that implementing Kerberos on your network does not guarantee perfect security. While Kerberos is extremely secure in a theoretical sense, there are many practical security issues to be considered. In addition, it is important to remember that Kerberos provides only an authentication service; it does not prevent compromises caused by buggy server software, administrators granting permissions to unauthorized users, or poorly chosen passwords.
While most documentation on the subject of Kerberos security simply says to "secure the KDC," there is much more to the story of Kerberos security than turning off unnecessary services on your KDC machines (although that is certainly good advice!). In this article, we will begin with a discussion of potential attacks against your Kerberos authentication system, follow up with steps that should be taken to prevent these attacks, and finally examine Kerberos KDC logs. After reading this article, you should understand the security implications that Kerberos presents and how to protect your network from the attack scenarios presented.
The link for this article located at Linux Exposed is no longer available.
