AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your.

Slides:



Advertisements
Similar presentations
Introduction to Linux Recap Installing programs Introduction to Video Editing with Linux.
Advertisements

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Active Directory and NT Kerberos Rooster JD Glaser.
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Privileged Account Management Jason Fehrenbach, Product Manager.
Cross Platform Single Sign On using client certificates Emmanuel Ormancey, Alberto Pace Internet Services group CERN, Information Technology department.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.
Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Apache Web Server v. 2.2 Reference Manual Chapter 4 Multi-Processing Modules (MPMs)
HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.
Jefferson Lab Printing System Sherman White Jr.. Jefferson Lab Print Services ~ printers >1500 systems (Unix+Windows) 2 Windows print servers 1.
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Securing Access in a Heterogeneous Network Environment Providing Interoperability between Microsoft Windows 2000 and Heterogeneous Networks Securing Authentication.
Quick Tour of the Web Technologies: The BIG picture LECTURE A bird’s eye view of the different web technologies that we shall explore and study.
MongoDB Sharding and its Threats
 Advantages  Easy to learn  Graphical Advantages  Help and Support  Widely used  Software compatibility  Customisable  Customisable Hardware 
An Introduction to Linux Operating System Zihui Han.
AN INTRODUCTION TO LINUX OPERATING SYSTEM Zihui Han.
Web Page A page displayed by the browser. Website Collection of multiple web pages Web Browser: A software that displays web pages on client computer.
Making Apache Hadoop Secure Devaraj Das Yahoo’s Hadoop Team.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
Eucalyptus Virtual Machines Running Maven, Tomcat, and Mysql.
Module 10: Designing an AD RMS Infrastructure in Windows Server 2008.
Chapter 4 Windows NT/2000 Overview. NT Concepts  Domains –A group of one or more NT machines that share an authentication database (SAM) –Single sign-on.
Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.
Designing Active Directory for Security
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
IT:Network:Apps.  RRAS does nice job of routing ◦ NAT is nice ◦ BASIC firewall ok but somewhat weak  Communication on network (WS to SRV) is in clear.
Scaling NT To The Campus Integrating NT into the MIT Computing Environment Danilo Almeida, MIT.
September 2003 SIGUCCS ‘03 Paper # 62 WebDAV: What It Is, What It Does, Why You Need It by Luis O. Hernández Mahmoud Pegah.
The Right OS for Your Job Major: Computer Science Instructor: Dr Anvari Presenter: Ke Huang Student ID:
Planning a Microsoft Windows 2000 Administrative Structure Designing default administrative group membership Designing custom administrative groups local.
Module 3 Configuring File Access and Printers on Windows ® 7 Clients.
Henry B. HotzKerberos 5 Upgrade JPL’s Kerberos 5 Upgrade Henry B. Hotz Jet Propulsion Laboratory California Institute of Technology.
The Roadmap to New Releases Derek Wright Computer Sciences Department University of Wisconsin-Madison
240-Current Research Easily Extensible Systems, Octave, Input Formats, SOA.
Samba – Good Just Keeps Getting Better The new and not so new features available in Samba, and how they benefit your organization. Copyright 2002 © Dustin.
National Center for Supercomputing ApplicationsNational Computational Science Grid Packaging Technology Technical Talk University of Wisconsin Condor/GPT.
© 2007 OPNET Technologies, Inc. All rights reserved. OPNET and OPNET product names are trademarks of OPNET Technologies, Inc. An Open Source ARM 4 Implementation.
National Computational Science National Center for Supercomputing Applications National Computational Science GSI Online Credential Retrieval Requirements.
Kerberos 5 for DESY Wolfgang Friebel. Sep 20, Useful URL’s K5 protocol: FAQ:
Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.
Introduction to AFS IMSA Intersession 2003 An Overview of AFS Brian Sebby, IMSA ’96 Copyright 2003 by Brian Sebby, Copies of these slides.
Integrating the Healthcare Enterprise Improving Clinical Care: Enterprise User Authentication For IT Infrastructure Robert Horn Agfa Healthcare.
Project Vision Improve Resilience of NetWare User Filestore Improve Resilience of Corporate Database Filestore Disaster Recovery Options ? Backup, Archival,
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
1 Example security systems n Kerberos n Secure shell.
What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Kerberos is a three-headed dog Available as open source or in supported.
Non Web-based Identity Federations - Moonshot Daniel Kouril, Michal Prochazka, Marcel Poul ISGC 2015.
Federated Access to Storage EGI CF 2012 Luke Howard, Daniel Kouril, Michal Prochazka.
1 Policy Based Systems Management with Puppet Sean Dague
CLOUDENTIFY.
CrossOver and Wine Jeremy White CEO, Codeweavers, Inc.
Jun Rao co-founder at Confluent, Inc
Backing Up Your System With rsnapshot
HTCondor Security Basics
Module 8: Securing Network Traffic by Using IPSec and Certificates
Unit 8 NT1330 Client-Server Networking II Date: 8/2/2016
HTCondor Security Basics HTCondor Week, Madison 2016
Kerberos.
Module 8: Securing Network Traffic by Using IPSec and Certificates
Preventing Privilege Escalation
CUWebAuth and CUWebLogin 2.0
Presentation transcript:

AFS & Kerberos Best Practices Workshop 2008 Design Goals Functions that require authentication Solution Space Kerberos, GSSAPI or SASL (Decide on your API!) Test Environment Configuration options Kerberos vs. GSSAPI Deployment issues Overview

AFS & Kerberos Best Practices Workshop Try for a best practices implementation - KDC compatibility (MIT/Heimdal/Windows/CyberSafe/others) - Heterogeneous support (Linux, UNIX, Windows, OSX, Netware) - Compatibility with the existing TiBS solution - Customer ease of use - Minimize support costs Design Goals

AFS & Kerberos Best Practices Workshop 2008 TiBS Server initiated operations - The TiBS Server is the Kerberos client - The TiBS Client is the Kerberos application server - Backup, restore, and auditing programs - Command line (as root) and cron jobs -TiBS Client initiated oprerations - The TiBS Client is the Kerberos client - The TiBS Server is the Kerberos application server - Backup (local and request modes) - Command line (as root OR user) and cron jobs Functions that require authentication

AFS & Kerberos Best Practices Workshop 2008 How to build? -Statically link against some library -Dynamically link (dlopen) and ship libraries -Use a shim to allow clients to build their own binaries What to build? - Kerberos 5 -GSSAPI -SASL Who to build? - MIT/Heimdal/OS Vendor/Commercial Solution Space lots of

AFS & Kerberos Best Practices Workshop You want to get initial credentials. - You want to renew Kerberos tickets. - You want to do user-to-user authentication. - You are writing something for internal use and want to get away with a minimum amount of code. - You want to guarantee a single round-trip authentication. - You are using a datagram protocol. - You want to make use of various Kerberos ticket fields. - You‘re not concerned about porting from Heimdal to MIT, or vice versa. Decide on on your API! (Why choose Kerberos)

AFS & Kerberos Best Practices Workshop You want API stability between MIT, Heimdal, or other Kerberos implementations. - You want to make use of native Windows Kerberos services. - You want to add GSSAPI mech support to an application that already implements SASL internally. - You want to provide a path for supporting other security mechanisms in the future. Decide on on your API! (Why choose GSSAPI)

AFS & Kerberos Best Practices Workshop You want the ability to support a wide variety of security mechanisms, today. - You need to interoperate with protocols that use SASL and you can guarantee that Cyrus-SASL will be available. - You need the ability to negotiate the use of encryption. Decide on on your API! (Why choose SASL)

AFS & Kerberos Best Practices Workshop MIT (1.6.3) and Hiemdal Libraries (1.1) - Static, dynamic, dlopen (MIT does not support static libraries) - Solaris & Linux (primary backup servers) - Kerberos and GSSAPI - Clients can use Standard, Kerberos, or GSSAPI Authentication - Servers accept any of these methods Test Environment

AFS & Kerberos Best Practices Workshop 2008 Alternate keytabs (KRB5_KTNAME environment variable) 1. Regular users need authenticate with a common principle Example: 2. You have services that do not run as root TIBS_KEYTAB=/usr/tibs/tibs.keytab If (setenv("KRB5_KTNAME", keytab_string, 1)) warn… Our application primarily runs as root, so #1 is possible Configuration options

AFS & Kerberos Best Practices Workshop 2008 Alternate service principles 1. Regular users need authenticate with a common principle 2. You have services that do not run as root 3. Allow access to backup clients from multiple servers (as root) KRB5_KEY_LOOKUP= If your service principles are not in Kerberos: krb5_mk_req_extended(); GSSAPI: gss_import_name(); with GSS_C_NT_USER_NAME Configuration options

AFS & Kerberos Best Practices Workshop 2008 Server Side Access Control Lists - Regular users use their existing credentials - Allow or deny services Example: *|laptop1|backup *|*|deny We will probably need to do this Configuration options

AFS & Kerberos Best Practices Workshop 2008 Leaning towards deployment with GSSAPI Easy implementation using example code from Sun Windows SSPI May want use Solaris native libraries Kerberos vs. GSSAPI

AFS & Kerberos Best Practices Workshop 2008 Static Linking - Works with no configuration changes - Minimal changes to our installer - Safe bet for keeping backups running Dynamic Linking - Ship dynamic link libraries you compile against - Manage LD_LIBRRAY_PATH - Ongoing problems with deployment Linux GLIBC_2.2.5 with Heimdal-1.1 LD_LIBRARY_PATH=/usr/local/BerkeleyDB/v4/lib Deployment issues

AFS & Kerberos Best Practices Workshop 2008 Linux: strongly considering static linking Solaris: still looking at the OS libraries, otherwise probably static linking Windows: looking at SSPI OSX: stay tuned SHIM: stay tuned Deployment issues

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.