answersLogoWhite

0

Features added in the current version of Kerberos Version5 are designed to allow inter-network authentication (in Kerberos terminology, referred to as "cross-realm" authentication). Recent proposals have included using public-key cryptography for both initial authentication of clients (TGT) and for cross-realm authentication. Such changes will make it more feasible for Kerberos to scale to larger sets of networks, but the question is far from resolved.

  • Version 5 added support for forwardable, renewable, and postdatable tickets. These accommodate long running processes and processes which need to run automatically in the future, in addition to allowing users to use their credentials on a machine other than the one they logged in on.
  • Kerberos tickets can now contain multiple IP addresses and addresses for different types of networking protocols. This allows the use of multi-homed machines
  • Replay caches keep track of recently issued tickets and do not allow the same ticket to be used twice in a row. This cuts down on the ability of attackers to hijack cached tickets before they expire.
  • There is now support for transitive cross-realm authentication which removes the requirement that each pair of realms that wish to allow authentication must share a secret. In large networks consisting of many realms, the number of secrets can become quite large and is not scalable. Instead, transitive cross-realm authentication allows a path between secret-sharing realms to be specified so that credentials from the desired realm can be earned by following this path
User Avatar

Wiki User

15y ago

What else can I help you with?