Kerberos is an example of something that just works but is not for the lazy. It was clearly designed by Engineers and not Kool Kidz. The infrastructure required to make it work is not completely trivial but it is free in nearly all senses of the word.
If you can't be arsed to get clocks in sync and DNS to work properly then this is not for you but then neither is any sort of reasonably useful IT related stuff.
Kerberos is a mythical Greek dog and Dramatis Personae is a Latin phrase adopted by theatre and the main text is in English. The canonical justification text (cited above) is clearly an Engineer's work.
This is a very nice exposition of the problem statement. However --
"Athena: You could solve the problem clumsily by requiring the mail server to ask for a password before I could use it. I prove who I am to the server by giving it my password.
Euripides: That's clumsy all right. In a system like that, every server has to know your password. If the network has one thousand users, each server has to know one thousand passwords. If you want to change your password, you have to contact all servers and notify them of the change. I take it your system isn't this stupid."
-- if this isn't a problem for you, as it isn't (or can't really be worked around) on a decentralized network like the internet, then Kerberos seems like an over-engineered marvel for a bygone era. For a closed intranet though, like universities or corporate networks, Kerberos is still around.
Kerberos 5 is somewhat distributed—"realms" loosely map to domains. Kerberos's architecture is very similar to Shibboleth, which is web-based and has a certain level of popularity.
> Charon uses the username to look up your password. Next Charon builds a packet of data that contains the ticket-granting ticket. Before it sends you the packet, Charon uses your password to encrypt the packet's contents.
> Your workstation receives the ticket packet. You enter your password. Kinit attempts to decrypt the ticket with the password you entered. If kinit succeeds, you have successfully authenticated yourself to Charon. You now possess a ticket-granting ticket, and that ticket can get you the other tickets you require.
In this system Kerberos needs to know your plaintext password, no? How was this problem solved?
