Presentation is loading. Please wait.

Presentation is loading. Please wait.

Centralised User Management. What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?"

Published byJodie Black Modified over 9 years ago

Similar presentations

Presentation on theme: "Centralised User Management. What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?""— Presentation transcript:

1 Centralised User Management

2 What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?"

3 Centralised Because we need control of the systems we own and manage We need scalability in management e.g. not have to reconfigure hundreds of machines every time someone joins or leaves We need something which is auditable - confidence that we haven't accidentally missed something

4 Solution presented here KERBEROS for authentication, LDAP for authorisation (and SYSLOG for accounting) We'll be using open source: MIT Kerberos and OpenLDAP Microsoft Active Directory is basically Kerberos + LDAP + DNS; if you like it, by all means use it Microsoft's tweaked versions of protocols May require extra configuration, e.g. install Microsoft Services For Unix (SFU)

5 Kerberos overview Based on symmetric (private key) cryptography Secure, fast, scalable Provides true single sign-on Type your password once at start of day Your password is never sent to services you use! KDC: Key Distribution Centre REALM: Collection of users and machines which all trust the same KDC. Named in UPPER.CASE to distinguish from a DNS domain Informal protocol design: http://web.mit.edu/kerberos/www/dialogue.htmlhttp://web.mit.edu/kerberos/www/dialogue.html

6 KDC Database A simple table of "things" and "passwords" users: myname@WS.NSRC.ORG hosts: host/noc.ws.nsrc.org@WS.NSRC.ORG services: HTTP/www.ws.nsrc.org@WS.NSRC.ORG Kerberos calls them all "principals" Passwords (shared secrets) stored in clear text Actually, entered password munged into a binary key

7 Shared secrets KDC realm FOO principalkey myname@FOOXXXXX host/noc.ws@FOOYYYYY User Password in brain noc.ws Shared secret (user password) Shared secret (host key) Host Key in /etc/krb5.keytab

8 Prove identity via "tickets" When you want to access a service, you first obtain a "ticket" for that service The KDC sends you the ticket, which is encrypted with the service's key Only the KDC and the service know this key Hence the service knows that the ticket must have come from the KDC You never send your password to the service Tickets are time-limited (typically 10 hours)

9 Ticket Granting Service KDC TGS noc.ws Ticket request for noc.ws Decrypt ticket Check timestamp Ticket (encrypted with noc.ws secret) Login + Ticket Ticket stored in cache file, can be reused until expires

10 Obtaining tickets Each ticket is only readable by one particular host/service, so you need to obtain a ticket for each one To avoid having to enter your password each time, you first obtain a master ticket: a "ticket granting ticket" Your TGT is encrypted with your own password, and decrypted when you receive it Unix program: kinit See also: klist, kdestroy

11 Authentication Service KDC AS Authentication request kinit Decrypted TGT stored in cache file TGT (encrypted with user's password) Future-proof: The AS can be replaced with another auth mechanism (e.g. smartcards), but the TGT and tickets are the same

12 Practical: Kerberos client sudo apt-get install krb5-user sudo editor /etc/krb5.conf # delete everything, replace with this: [libdefaults] default_realm = WS.NSRC.ORG dns_lookup_realm = true dns_lookup_kdc = true sudo editor /etc/ssh/ssh_config # OSX: /etc/ssh_config... GSSAPIAuthentication yes # check this line GSSAPIKeyExchange yes # optional extra... kinit testuser # enter password when prompted ssh testuser@noc.ws.nsrg.org # logout, then login somewhere else ssh testuser@s1.ws.nsrc.org Magic which I will explain later

13 Simple enough? Easy to train your users - they don't need to know how it works Little work to configure client machines (scalable) Of course, we had to build the server side first :-)

14 Multi-protocol support What we've seen so far is similar to what you can do with ssh + pubkey authentication + ssh-agent (*) But Kerberos can authenticate many other protocols: POP3, IMAP, HTTP, LDAP, even telnet! Bolt-on using SASL and GSSAPI Also optionally adds encryption to those protocols Oh, and it does mutual authentication too No need to have CA certificate or ssh host keys (For ssh, set "GSSAPIKeyExchange yes" on server and client) http://www.sxw.org.uk/computing/patches/openssh.html http://www.sxw.org.uk/computing/patches/openssh.html (*) You can even forward your kerberos tickets to another host, like ssh agent forwarding

15 Demo: HTTP with Kerberos http://noc.ws.nsrc.org/secure You need to configure your client to attempt Kerberos authentication. #### For curl #### curl --negotiate -u : http://...... #### For Firefox #### Go to about:config Filter on "negotiate" network.negotiate-auth.trusted-uris ws.nsrc.org #### For Google Chrome #### Start using: /opt/google/chrome/google-chrome \ --auth-server-whitelist=*.ws.nsrc.org # Use kdestroy and kinit to convince yourself!

16 Demo: LDAP with Kerberos sudo apt-get install ldap-utils sudo apt-get install libsasl2-modules-gssapi-mit ldapsearch -Y GSSAPI -H ldap://ldap.ws.nsrc.org \ -b "dc=ws,dc=nsrc,dc=org" "(cn=*test*)" # Note: # (1) No password prompt! (kdestroy to confirm) # (2) Data encrypted (tcpdump to confirm)

17 Kerberos and DNS

18 Locating KDCs for realm Client needs to locate the KDC(s) for a realm This can be statically configured in krb5.conf [realms] WS.NSRC.ORG = { kdc = kdc1.ws.nsrc.org kdc = kdc2.ws.nsrc.org admin_server = kdc1.ws.nsrc.org } Or we can lookup SRV records in DNS This saves configuration on the clients $ dig _kerberos._udp.ws.nsrc.org srv ;; ANSWER SECTION: _kerberos._udp.ws.nsrc.org. 600 IN SRV 0 100 88 kdc1.ws.nsrc.org. _kerberos._udp.ws.nsrc.org. 600 IN SRV 0 100 88 kdc2.ws.nsrc.org.

19 Host to realm mapping When you connect to a host, you need to know what realm it is in (so client can get the right ticket) You can configure this statically in krb5.conf [domain_realm].ws.nsrc.org = WS.NSRC.ORG Or again you can use the DNS

20 Host to realm algorithm Reverse lookup IP to FQDN (foo.bar.baz.com) Look for TXT record in turn: _kerberos.bar.baz.com _kerberos.baz.com _kerberos.com Fallback is FQDN without hostname, uppercased Note: the "default_realm" from krb5.conf isn't used $ dig _kerberos.ws.nsrc.org txt ;; ANSWER SECTION: _kerberos.ws.nsrc.org. 600 IN TXT "WS.NSRC.ORG"

21 Importance of DNS It's critical that forward and reverse DNS is correctly configured for all servers you connect to, or it won't work Multi-homed hosts need care. Either: one hostname, multiple A records, all PTR records point to same hostname or: separate hostname for each interface, with matching forward and reverse See the Kerberos FAQ for more info

22 Kerberos gotchas Clocks must be synced (within 5 minutes) Realm must be in UPPER.CASE Target must have correct forward+reverse DNS Target must know its own hostname Check "hostname", /etc/hostname Not too difficult? if you can get these things right, you can turn off ssh password authentication entirely if it breaks, can still get in on the console to fix it

Download ppt "Centralised User Management. What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?""

Similar presentations

AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
KERBEROS LtCdr Samit Mehra (05IT 6018).

KERBEROS LtCdr Samit Mehra (05IT 6018).
KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
SCSC 455 Computer Security

SCSC 455 Computer Security
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.

Chapter 14 From Cryptography and Network Security Fourth Edition written by William Stallings, and Lecture slides by Lawrie Brown, the Australian Defence.
AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)

AUTHENTICATION APPLICATIONS - Chapter 14 Kerberos X.509 Directory Authentication (S/MIME)
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

Similar presentations

Ads by Google