Drawbacks and Limitations
- Single point of failure: It requires continuous availability of a central server. When the Kerberos server is down, no one can log in. This can be mitigated by using multiple Kerberos servers and fallback authentication mechanisms.
- Kerberos has strict time requirements, which means the clocks of the involved hosts must be synchronized within configured limits. The tickets have a time availability period and if the host clock is not synchronized with the Kerberos server clock, the authentication will fail. The default configuration per MIT requires that clock times are no more than five minutes apart. In practice Network Time Protocol daemons are usually used to keep the host clocks synchronized.
- The administration protocol is not standardized and differs between server implementations. Password changes are described in RFC 3244.
- Since all authentication is controlled by a centralized KDC, compromise of this authentication infrastructure will allow an attacker to impersonate any user.
- Each network service which requires a different host name will need its own set of Kerberos keys. This complicates virtual hosting and clusters.
Read more about this topic: Kerberos (protocol)
Famous quotes containing the words drawbacks and/or limitations:
“France has neither winter nor summer nor morals—apart from these drawbacks it is a fine country.”
—Mark Twain [Samuel Langhorne Clemens] (1835–1910)
“The motion picture made in Hollywood, if it is to create art at all, must do so within such strangling limitations of subject and treatment that it is a blind wonder it ever achieves any distinction beyond the purely mechanical slickness of a glass and chromium bathroom.”
—Raymond Chandler (1888–1959)