Originally Posted by abourke
Just wondering about Kerberos.
1 Does it only provide authentication?
Not exclusively - but that IS its primary function.
2 Or does it encrypt communications aswell?
It provides an encryption capability library that can be used to encrypt any communication. But it is up to each utility to make use of that library.
The library itself is used to implement the protocols for authentication. As such, there was no reason to exclude its use for other functions as well.
Most kerberos kits include an authenticated kerberized version of telnet, rsh, ftp, and rlogin. But the library can support many others.
3 If so, is it only the network (LAN) that is encrypted?
4 Or does it encrypt Internet (WAN) connections too?
No - the functions are provided to the network (of whatever type).
The primary goal is to provide authentication - and that works no matter what the network type is lan/wan makes no difference.
Kerberos has been used to provide distributed secure network file services (via AFS) which is world wide. (warning - DON'T do a "ls -R" or a "find" on the base AFS mount point--- it gets hard to stop once it starts scanning across the globe.)
The normal use is LAN authentication (as shown by a Windows AD domain), but in general I have seen it used for worldwide remote logins. It has procedures for distributing authentication trust via cross realm checks, where a "realm" simply represents a collection of servers and a key distribution server. Trust may be extended in a hierarchy, or peer to peer. Trust may also be limited to one way or two way.
Current Kerberos versions also support the use of PKI.
One think kerberos isn't is a substitute for IPSec, which can provide a network level encryption for ANY network usage.