Presentation is loading. Please wait.

Presentation is loading. Please wait.

Single Sign-on with Kerberos

Published byDinah Cassandra McLaughlin Modified over 5 years ago

Similar presentations

Presentation on theme: "Single Sign-on with Kerberos"— Presentation transcript:

1 Single Sign-on with Kerberos
Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008

2 Introduction: Services
Example of network services Shell Accounts Websites Each traditionally responsible for authenticating users Duplicate user information LDAP solves duplication problem by acting as directory service User must still authenticate each time service is accessed

3 Single Sign-on Technique used to validate user's identity only once and give secure access to all network services Motivation Gets rid of constant password prompts System administrator manages one group of users instead of several groups for different services User only has one password to remember

4 Project Outline Setup Kerberos
Popular mechanism used to achieve single sign-on Setup 3 virtual machines on a network Setup various network services SSH FTP NFS Mail

5 LDAP Overview Lightweight Directory Access Protocol
Stores information about users, groups, DNS, or any database utilizing service Can add, modify, and query for information

6 LDAP Choice Chose OpenLDAP Created in 1998
Loosely based on LDAP server at University of Michigan Uses insecure communication mechanism “One of the team members may have killed himself if we used a proprietary implementation” Other LDAP choices Active Directory by Microsoft Open Directory by Novell Red Hat Directory Server by Red Hat

7 SSL Overview Secure Socket Layer
Protocol used to ensure that data transferred over networks are encrypted Prevents tampering and eavesdropping Use OpenSSL Implements SSL and newer protocol TLS (Transport Layer Security)‏

8 Kerberos Overview Way to securely prove one's identity over network
Open source application developed by MIT Made up of two parts Authentication server Ticket granting server Ticket is granted after user authenticated Use symmetric key cryptography Expires after period of time User presents ticket to service Service authenticates user without prompting for password

9 Kerberos Diagram

10 Project Design 3 Virtual Machines named Kenny, Cartman, and Stan
Cartman (Debian Lenny)‏ Central server LDAP, Kerberos, NTPserver Stan (Debian Lenny)‏ Secondary server Mail, NFS, FTP Kenny (Ubuntu 8.04)‏ Client All three run SSH servers Kenny and Cartman mount Stan's NFS share Does not accept RSA or DSA keys in SSH Mail client on Kenny does not store passwords

11 LDAP Setup Serves as base for user information
Used BDB database for backend Challenge to find different configuration files on Debian and Ubuntu Tell name services to use LDAP Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP Removed all local accounts from machines

12 SSL Setup Generate certificates
Problems with pointing to correct certificates Needed to fix configuration files Problems with nomenclature References to ldaps or StartTLS protocols Changed configuration from ldaps to ldap and enabled StartTLS

13 Kerberos Setup Create and initialize realm
Create principles for all hosts, users, and services Change PAM from using LDAP to Kerberos LDAP still needed for other reasons Install Kerberos keys into the key stores of all clients All machines must have the correct date and time Validate session for ticket Example principles:

14 Kerberos (contd)‏ User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. Users must recreate their password, so migrating from LDAP on a large network may not be feasible.

15 SSH Setup Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials GSSAPIAuthentication yes GSSAPICleanupCredentials yes GssapiKeyExchange yes AllowTcpForwarding yes Modify the SSH Client configuration to send GSSAPI credentials when connecting GSSAPIDelegateCredentials yes Users only need to log in once to SSH anywhere, or use any other Kerberos services.

16 FTP Setup Setup FTP on Stan Needed package “krb5-ftpd”
“Kerberized” version of FTP Problem in not realizing that server daemon, inetd, wasn't installed Manages services by mapping them to a specific ports and launches correct services Used “krb-ftp” command on Kenny to test FTP Came with the”krb-client” package

17 NFS Setup NFSv4 Setup Server Added principles to Kerberos
Modified exports file Ensure RPC services were starting correctly (idmap)‏ Setup Client RPC services (idmap)‏ Import Kerberos Keys Recreated key files on all machines Verified permissions and mount points Setup to automatically mount home directories

18 IMAP Server Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. Kerberos used for authentication, regular password authentication disabled LDAP used for user information (e.g. path to their mail directories)‏ Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)‏

19 IMAP Client Used thunderbird on Kenny as IMAP client
Must tell thunderbird to use Kerberos Option is “Use secure authentication” (different than SSL/TSL)‏ Client can receive after logging in to the desktop without being asked for a password. Bonus: Thunderbird doesn’t have to store your password anywhere, so it’s more secure.

20 Future Directions Add firewall security
Add more services such as Apache Add multiple platforms Add security to SMTP

21 Chris References Debian (www.debian.org)‏ Ubuntu (ubuntuforums.org)‏
en.gentoo-wiki.com Chris

Download ppt "Single Sign-on with Kerberos"

Similar presentations

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.

KERBEROS A NETWORK AUTHENTICATION PROTOCOL Nick Parker CS372 Computer Networks.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.

Kerberized Credential Translation Olga Kornievskaia Peter Honeyman Bill Doster Kevin Coffman Center for Information Technology Integration University of.
Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.

Module 5: TLS and SSL 1. Overview Transport Layer Security Overview Secure Socket Layer Overview SSL Termination SSL in the Hosted Environment Load Balanced.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
15.1 © 2004 Pearson Education, Inc. Exam 70-290 Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.

15.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 15: Configuring a Windows.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.

Module 6 Windows 2000 Professional 6.1 Installation 6.2 Administration/User Interface 6.3 User Accounts 6.4 Managing the File System 6.5 Services.
Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.

Apache : Installation, Configuration, Basic Security Presented by, Sandeep K Thopucherela, ECE Department.
APACHE SERVER By Innovationframes.com »

APACHE SERVER By Innovationframes.com »
70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.

70-291: MCSE Guide to Managing a Microsoft Windows Server 2003 Network Chapter 10: Remote Access.
TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series 2008 - WebSEAL SSO, Session 1 Presented by: Andrew Quap.

TAM STE Series 2008 © 2008 IBM Corporation WebSEAL SSO, Session 108/2008 TAM STE Series WebSEAL SSO, Session 1 Presented by: Andrew Quap.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.

SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
Chapter 7: Using Windows Servers to Share Information.

Chapter 7: Using Windows Servers to Share Information.
70-284 MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.

MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Securing Microsoft® Exchange Server 2010

Securing Microsoft® Exchange Server 2010
Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May 20121.0First version. Modified from Enterprise edition.NBL.

Copyright ®xSpring Pte Ltd, All rights reserved Versions DateVersionDescriptionAuthor May First version. Modified from Enterprise edition.NBL.
Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.

Course ILT Internet/intranet support Unit objectives Use the Internet Information Services snap-in to manage IIS, Web sites, virtual directories, and WebDAV.
Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

Postfix Mail Server Postfix is used frequently and handle thousands of messages. compatible with sendmail at command level. high performance program easier-

Similar presentations

Ads by Google