---

---

Router Security Configuration Guide UNCLASSIFIED 158 UNCLASSIFIED Version 1.0g Kerberos Kerberos was developed by the Massachusetts Institute of Technology (MIT) and is an IETF standard (RFC1510) as a network authentication system.  Kerberos provides strong authentication for client/server applications by using secret-key cryptography.   This mechanism can verify the identities of two users (i.e. person or network component) on unprotected networks.  This authentication is performed using a trusted third-party service using conventional (shared secret key) cryptography.  In this system a client would request the credentials of the party they wish to contact from the trusted authentication service.  The communications between all parties are encrypted using known secret keys or session keys issued from the authentication service.  Kerberos can also be used to perform EXEC shell authorization using Kerberos Instance Mapping.  After two users have been authenticated, Kerberos can be used to provide confidentiality and data integrity services. Kerberos infrastructures are already in wide use.  If you already have a Kerberos infrastructure in place this may be the way to go.  But note that Kerberos only allows for limited authorization capabilities and no accounting.  There are freeware versions of Kerberos available as well as commercially supported products.  Some more recent OS's come with Kerberos built-in.  Examples using Kerberos are not covered in this guide but more details can be found in the Security Configuration Guide [1] section entitled “Configuring Kerberos”, and in RFC 1510. 4.6.5. References [1]    Cisco Systems, Cisco IOS 12.0 Network Security, Cisco Press, 1999. [2]    Cisco System, Cisco IOS 12.0 Dial Solu tions, Cisco Press, 1999. [3]    C. Rigney et. al. “Remote Authentication Dial In User Service (RADIUS)”   RFC 2865,  June 2000. [4]    J. Kohl, “The Kerberos Network Authentication Service (V5)”, RFC 1510, September 1993.