OS X Server uses Kerberos for single sign-on authentication, which relieves users from entering a name and password separately for every service. With single sign-on, a user always enters a name and password in the login window. Thereafter, the user doesn’t need to enter a name and password for AFP service, Mail service, or other services that use Kerberos authentication.
To take advantage of single sign-on, users and services must be Kerberized—configured for Kerberos authentication—and use the same Kerberos KDC server.
User accounts that reside in an LDAP directory of a Mac server and have a password type of Open Directory use the server’s built-in KDC. These user accounts are configured for Kerberos and single sign-on. The server’s Kerberized services use the server’s built-in KDC and are configured for single sign-on.
This Mac server KDC can also authenticate users for services provided by other servers. Having more servers with OS X Server use the Mac server KDC requires only minimal configuration.
Kerberos authentication
Kerberos was developed at MIT to provide secure authentication and communication over open networks like the Internet. It’s named for the three-headed dog that guarded the entrance to the underworld of Greek mythology.
Kerberos provides proof of identity for two parties. It enables you to prove your identity to network services you want to use. It also proves to your apps that network services are genuine, not spoofed.
Like other authentication systems, Kerberos doesn’t provide authorization. Each network service determines what you’re permitted to do based on your proven identity.
Kerberos permits a client and a server to identify each other much more securely than typical challenge-response password authentication methods. Kerberos also provides a single sign-on environment where users authenticate only once a day, week, or other period of time, thereby easing authentication frequency.
OS X Server offers integrated Kerberos support that virtually anyone can deploy. In fact, Kerberos deployment is so automatic that users and administrators may not realize it’s deployed.
It’s the default setting for user accounts in the Mac server LDAP directory. Other services provided by the LDAP directory server, such as AFP and Mail service, also use Kerberos automatically.
If your network has other servers with OS X Server, joining them to the Kerberos server is easy, and most of their services use Kerberos automatically.
Alternatively, if your network has a Kerberos system such as Microsoft Active Directory, you can set up your Mac server and Mac computers to use it for authentication.
The Internet is inherently insecure, yet few authentication protocols provide real security. Malicious hackers can use readily available software tools to intercept passwords being sent over a network.
Many apps send passwords unencrypted, and these are ready to use as soon as they’re intercepted. Even encrypted passwords aren’t completely safe. Given enough time and computing power, encrypted passwords can be cracked.
To isolate passwords on your private network you can use a firewall, but this doesn’t solve all problems. For example, a firewall doesn’t provide security against disgruntled or malicious insiders.
Kerberos was designed to solve network security problems. It never transmits the user’s password across the network, nor does it save the password in the user’s computer memory or on disk. Therefore, even if the Kerberos credentials are cracked or compromised, the attacker doesn’t learn the original password, so he or she can potentially compromise only a small portion of the network.
In addition to superior password management, Kerberos is also mutually authenticated. The client authenticates to the service, and the service authenticates to the client. A man-in-the-middle or spoofing attack is impossible when you’re using Kerberized services, and that means users can trust the services they’re accessing.
Kerberos is available on every major platform, including OS X, Windows, Linux, and other UNIX variants.
Move beyond passwords
Network authentication is difficult: to deploy a network authentication method, the client and server must agree on the authentication method. Although it’s possible for client/server processes to agree on a custom authentication method, getting pervasive adoption across a suite of network protocols, platforms, and clients is virtually impossible.
For example, suppose you want to deploy smart cards as a network authentication method. Without Kerberos, you must change every client/server protocol to support the new method. The list of protocols includes SMTP, POP, IMAP, AFP, SMB, HTTP, FTP, IPP, SSH, QuickTime Streaming, DNS, LDAP, local directory domain, RPC, NFS, AFS, WebDAV, and LPR, and goes on and on.
Considering all the software that does network authentication, deploying a new authentication method across the entire suite of network protocols would be a daunting task. Although this might be feasible for software from one vendor, you’d be unlikely to get all vendors to change their client software to use your new method. Further, you’d probably also want your authentication to work on multiple platforms (such as OS X, Windows, and UNIX).
Due to the design of Kerberos, a client/server binary protocol that supports Kerberos doesn’t even know how the user proves identity. Therefore you only need to change the Kerberos client and the Kerberos server to accept a new proof of identity such as a smart card. As a result, your entire Kerberos network has now adopted the new proof-of-identity method, without deploying new versions of client and server software.
Kerberos provides a central authentication authority for the network. All Kerberos-enabled services and clients use this central authority. Administrators can centrally audit and control authentication policies and operations.
Kerberos can authenticate users for the following services of a Mac server:
Login window
Mail service
AFP file service
FTP file service
SMB file service (as a member of an Active Directory Kerberos realm)
VPN service
Apache web service
LDAP directory service
Messages service
NFS file service
These services have been Kerberized whether they’re running or not. Only services that are Kerberized can use Kerberos to authenticate a user. OS X Server includes command-line tools for Kerberizing other services that are compatible with MIT-based Kerberos.
Single sign-on experience
Kerberos is a credential or ticket-based system. The user logs in once to the Kerberos system and is issued a ticket with a life span. During the life span of this ticket the user doesn’t need to authenticate again to access a Kerberized service.
The user’s Kerberized client software, such as the Mail application, presents a valid Kerberos ticket to authenticate the user for a Kerberized service. This provides a single sign-on experience.
A Kerberos ticket is like a press pass to a jazz festival held at multiple nightclubs over a three-day weekend. You prove your identity once to get the pass. Until the pass expires, you can show it at any nightclub to get a ticket for a performance. All participating nightclubs accept your pass without seeing your proof of identity again.