Kerberos caveats

• Kerberos server can impersonate anyone

• AS is a single point of failure

  • Can have replicated AS’s

• AS could be a performance bottleneck

  • Everyone needs to communicate with it frequently
  • Not a practical concern these days
  • Having multiple AS’s alleviates the problem

• If local workstation is compromised, user’s password could be stolen by a trojan horse

  • Only use a desktop machine or laptop that you trust
  • Use hardware token pre-authentication

• Kerberos vulnerable to password guessing attacks

  • Choose good passwords!
  • Use hardware pre-authentication
    • Hardware tokens, Smart cards etc