I am a total newbie to Kerberos and I am just trying to get things straight in my head before going ahead and using it. I work in a University and look after a number of lab machines, which just plug into the network, but can easily be unplugged. We do have port-based security on our switches but I am aware how easy it is to change the MAC address.
Reading about kerberos I understand that it is a very secure way of authenticating a user on a network. There is however something that I am unsure of. Basically, are the *machines* on the network authenticated too? That is, does each machine have an encrypted key somewhere that identifies itself. My reason for asking is that I am worried that if someone disconnects one of my lab machines and connects their own machine, which has been frigged to look like the disconnected machine, then in some way, the person who has done this will be able to access *something* on the network. Of course maybe I needn't worry at all anyway. If someone did connect another machine and masquerade as my machine perhaps there is little they could do, because they would then need to authenticate as a user, and without the user password, they could access nothing on the network? Still I would like to know if there is some form of the machine 'registering' when it boots, and if so, is there some daemon that updates a ticket or something? I guess that Windows networks work in this way and that when a Windows machine boots it somehow authenticates with the Domain Controller? I am asking this question because I am aware that in our current setup, masquarading as another machine lets the user of the bogus machine become any user on that machine and thus lets them access any files exported to that machine, and this is what I am trying to avoid. I hope these questions don't sound too dumb, but the O'Reilly Guide on Kerberos is a bit heavy going in places and I couldn't quite get the idea of the authenticity of a machine clear in my head. Is there such a thing? Any pointers at URLs, FAQs, or plain help much appreciated. Thanks in advance, Ross -- Ross Macintyre ([EMAIL PROTECTED]) ________________________________________________ Kerberos mailing list [email protected] https://mailman.mit.edu/mailman/listinfo/kerberos
