Title: Authentication protocols overview

KBTAG: kben10000102
URL: http://www.securityportal.com/lskb/10000100/kben10000102.html
Date created: 18/07/2000
Date modified:
Date removed:
Authors(s): Kurt Seifried seifried@securityportal.com
Topic: Authentication protocols overview
Keywords: Network/Authentication

Summary:

There are a number of commonly used authentication protocols, each has it's own strengths and weaknesses.

More information:

Radius

Radius is a commonly used protocol to authenticate dial-in users, and other types of network access.

NIS / NIS+

NIS and NIS+ (formally known as “yellow pages”) stands for Network Information Service. Essentially NIS and NIS+ provide a means to distribute password files, group files, and other configuration files across many machines, providing account and password synchronization (among other services). NIS+ is essentially NIS with several enhancements (mostly security related), otherwise they are very similar. 

Kerberos

Kerberos is a modern network authentication system based on the idea of handing a user a ticket once they have authenticated to the Kerberos server (similar to NT’s use of tokens). Kerberos is available from: http://web.mit.edu/kerberos/www/. The Kerberos FAQ is available at: http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html. Kerberos is appropriate for large installations as it scales better and is more secure then NIS / NIS+. Kerberizing programs such as telnet, imap and pop can be achieved with some effort, Windows clients with Kerberos support are harder to find however.

LDAP

Lightweight directory access protocol seems to be the future of storing user information (passwords, home directories, phone numbers, etc.). Many products (ADS, NDS, etc.) support LDAP interfaces, making it important for Linux to support LDAP as it will be required to tie it into future enterprise networks.

SMB

Server Message Block, is Microsoft's protocol for sharing files and printers as well as handling network authentication. There are PAM modules that allow you to authenticate via an SMB server (Samba or Windows NT).