Presentation is loading. Please wait.

Presentation is loading. Please wait.

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

Published bySabina Dawson Modified over 8 years ago

Similar presentations

Presentation on theme: "AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your."— Presentation transcript:

1

2 AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your API!) Test Environment Configuration options Kerberos vs. GSSAPI Deployment issues Overview

3 AFS & Kerberos Best Practices Workshop 2008 - Try for a best practices implementation - KDC compatibility (MIT/Heimdal/Windows/CyberSafe/others) - Heterogeneous support (Linux, UNIX, Windows, OSX, Netware) - Compatibility with the existing TiBS solution - Customer ease of use - Minimize support costs Design Goals

4 AFS & Kerberos Best Practices Workshop 2008 TiBS Server initiated operations - The TiBS Server is the Kerberos client - The TiBS Client is the Kerberos application server - Backup, restore, and auditing programs - Command line (as root) and cron jobs -TiBS Client initiated oprerations - The TiBS Client is the Kerberos client - The TiBS Server is the Kerberos application server - Backup (local and request modes) - Command line (as root OR user) and cron jobs Functions that require authentication

5 AFS & Kerberos Best Practices Workshop 2008 How to build? -Statically link against some library -Dynamically link (dlopen) and ship libraries -Use a shim to allow clients to build their own binaries What to build? - Kerberos 5 -GSSAPI -SASL Who to build? - MIT/Heimdal/OS Vendor/Commercial Solution Space (kerberos@mit.edu, lots of paths…)kerberos@mit.edu

6 AFS & Kerberos Best Practices Workshop 2008 - You want to get initial credentials. - You want to renew Kerberos tickets. - You want to do user-to-user authentication. - You are writing something for internal use and want to get away with a minimum amount of code. - You want to guarantee a single round-trip authentication. - You are using a datagram protocol. - You want to make use of various Kerberos ticket fields. - You‘re not concerned about porting from Heimdal to MIT, or vice versa. Decide on on your API! (Why choose Kerberos)

7 AFS & Kerberos Best Practices Workshop 2008 - You want API stability between MIT, Heimdal, or other Kerberos implementations. - You want to make use of native Windows Kerberos services. - You want to add GSSAPI mech support to an application that already implements SASL internally. - You want to provide a path for supporting other security mechanisms in the future. Decide on on your API! (Why choose GSSAPI)

8 AFS & Kerberos Best Practices Workshop 2008 - You want the ability to support a wide variety of security mechanisms, today. - You need to interoperate with protocols that use SASL and you can guarantee that Cyrus-SASL will be available. - You need the ability to negotiate the use of encryption. Decide on on your API! (Why choose SASL)

9 AFS & Kerberos Best Practices Workshop 2008 - MIT (1.6.3) and Hiemdal Libraries (1.1) - Static, dynamic, dlopen (MIT does not support static libraries) - Solaris & Linux (primary backup servers) - Kerberos and GSSAPI - Clients can use Standard, Kerberos, or GSSAPI Authentication - Servers accept any of these methods Test Environment

10 AFS & Kerberos Best Practices Workshop 2008 Alternate keytabs (KRB5_KTNAME environment variable) 1. Regular users need authenticate with a common principle Example: tibs/backup@REALMtibs/backup@REALM 2. You have services that do not run as root TIBS_KEYTAB=/usr/tibs/tibs.keytab If (setenv("KRB5_KTNAME", keytab_string, 1)) warn… Our application primarily runs as root, so #1 is possible Configuration options

11 AFS & Kerberos Best Practices Workshop 2008 Alternate service principles (default==host/hostname@REALM) 1. Regular users need authenticate with a common principle KRB5_ACCEPT_PRINC=tibs/backup@REALMtibs/backup@REALM 2. You have services that do not run as root 3. Allow access to backup clients from multiple servers (as root) KRB5_KEY_LOOKUP= tibs/backup@REALM tibs/backup@REALM If your service principles are not in service/hostname@REALM formatservice/hostname@REALM Kerberos: krb5_mk_req_extended(); GSSAPI: gss_import_name(); with GSS_C_NT_USER_NAME Configuration options

12 AFS & Kerberos Best Practices Workshop 2008 Server Side Access Control Lists - Regular users use their existing credentials - Allow or deny services Example: user@REALM|host1|backup *|laptop1|backup *|*|deny We will probably need to do this Configuration options

13 AFS & Kerberos Best Practices Workshop 2008 Leaning towards deployment with GSSAPI Easy implementation using example code from Sun Windows SSPI May want use Solaris native libraries Kerberos vs. GSSAPI

14 AFS & Kerberos Best Practices Workshop 2008 Static Linking - Works with no configuration changes - Minimal changes to our installer - Safe bet for keeping backups running Dynamic Linking - Ship dynamic link libraries you compile against - Manage LD_LIBRRAY_PATH - Ongoing problems with deployment Linux GLIBC_2.2.5 with Heimdal-1.1 LD_LIBRARY_PATH=/usr/local/BerkeleyDB/v4/lib Deployment issues

15 AFS & Kerberos Best Practices Workshop 2008 Linux: strongly considering static linking Solaris: still looking at the OS libraries, otherwise probably static linking Windows: looking at SSPI OSX: stay tuned SHIM: stay tuned Deployment issues

16

Download ppt "AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your."

Similar presentations

Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.

Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Privileged Account Management Jason Fehrenbach, Product Manager.

Privileged Account Management Jason Fehrenbach, Product Manager.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.

Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.

Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Apache Web Server v. 2.2 Reference Manual Chapter 4 Multi-Processing Modules (MPMs)

Apache Web Server v. 2.2 Reference Manual Chapter 4 Multi-Processing Modules (MPMs)
HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
Jefferson Lab Printing System Sherman White Jr.. Jefferson Lab Print Services ~200-250 printers >1500 systems (Unix+Windows) 2 Windows print servers 1.

Jefferson Lab Printing System Sherman White Jr.. Jefferson Lab Print Services ~ printers >1500 systems (Unix+Windows) 2 Windows print servers 1.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.

Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
159.339 Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.

Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
MongoDB Sharding and its Threats

MongoDB Sharding and its Threats
 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 

 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 

Similar presentations

Ads by Google