Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable.

Published byGilbert Kelley Modified over 8 years ago

Similar presentations

Presentation on theme: "Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable."— Presentation transcript:

1 Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable Kerberos authentication in the software 2. Create a principal in the KDC 3. Put the corresponding key in a keytab file What Microsoft calls "joining a domain" Not much harder than adding clients

2 Kerberised sshd Note: don't set "KerberosAuthentication yes" That really means password login, with the password checked against KDC True Kerberos doesn't send the password at all When properly deployed you can turn off ssh password authentication completely! # editor /etc/ssh/sshd_config... GSSAPIAuthentication yes GSSAPIKeyExchange yes # when available...

3 Creating the keytab Option 1: run kadmin on the target itself, using kerberos administrator account. strong random key; copy across net is encrypted # kadmin -p username/admin addprinc -randkey host/pcN.ws.nsrc.org ktadd host/pcN.ws.nsrc.org Option 2: extract keytab on another machine, copy to target e.g. with scp Option 3: set passphrase on KDC, use ktutil on target with same passphrase (awkward in practice)

4 Kerberised Apache mod_auth_kerb in Ubuntu 8.04, RHEL 4 &up AuthName "Hello Kerberos World" AuthType Kerberos # Allow fallback to Basic Auth? KrbMethodK5Passwd Off KrbAuthRealms WS.NSRC.ORG Krb5Keytab /etc/apache2/krb5/krb5.keytab # TODO: LDAP authorisation # require user testuser@WS.NSRC.ORG require valid-user

5 Kerberised Apache Create a service principal and a keytab which is readable to the Apache user ("www-data") Depending on clients, may need to include principals for both virtual server name and real server name # mkdir /etc/apache2/krb5 # kadmin -p username/admin addprinc -randkey HTTP/noc.ws.nsrc.org ktadd -k /etc/apache2/krb5/krb5.keytab \ HTTP/noc.ws.nsrc.org ^D # chown -R www-data:www-data /etc/apache2/krb5 # chmod 550 /etc/apache2/krb5 # chmod 440 /etc/apache2/krb5/krb5.keytab

6 Authorization

7 Tickets aren't authorization A ticket is proof of your identity to a particular endpoint - nothing more (*) You can ask for tickets to prove your identity to any principal you like. KDC doesn't care. Sounds a bit like certificates? It is! Uses symmetric cryptography instead of public/private Hence you need a separate ticket for each endpoint But symmetric crypto is cheap and fast (*) Microsoft has bastardized the concept by including "Privilege Access Certificates" (PACs) in tickets. In large AD deployments tickets can become huge, and hence logins slow.

8 Login authorization sshd needs to decide whether to allow a particular principal to login as a particular user Default rule: map foo@THIS.HOSTS.REALM to system user "foo"foo@THIS.HOSTS.REALM Default denies all users in other realms You can add explicit authorization by putting principal name(s) into ~/.k5login Like adding a key to ~/.ssh/authorized_keys, but simpler

9 Login authorization (cont) But we also need to know what uid for user "foo", what groups they are in, their home directory etc We don't want to distribute /etc/passwd files! So configure system to use LDAP database for passwd and group info Can restrict logins to particular groups (pam_access) LDAP communication needs to be strongly protected, by Kerberos or TLS LDAP is controlling privileges, so it's very important that it's secure

10 libnss nscd libnss_ldap getpwnam LDAP query local files

11 Configuring LDAP /etc/ldap.conf [man nss_ldap] LDAP server and base DN; attribute mapping /etc/nsswitch.conf use LDAP for passwd, shadow, group /etc/nscd.conf /etc/cron.hourly/kerberos obtain Kerberos ticket for name service caching daemon to be able to query LDAP Make your own tarball to deploy

12 Exercise Part one: set up your machine to accept Kerberos authenticated logins Part two: set up your machine to use LDAP for uid/gid mapping We're doing it manually, but remember in real life you'd deploy a tarball/package/script etc

13 More authorization scenarios

14 Kerberos admin (kadmin) Certain people are authorized to add/modify/remove other principals via kadmin This is security critical How do we control it?

15 Option 1 List all the authorized entities in the KDC ACL brian@REALM * brian@REALM carlos@REALM * carlos@REALM hervey@REALM * hervey@REALM Advantages: Clean separation of "authentication" and "authorization" Disadvantages: Need to edit a file on the KDC to amend the ACL

16 Option 2 Admin users have a second identity: username/admin@REALM Pattern-matching ACL in the KDB */admin@REALM * Advantages: The ACL never needs adjusting You have to enter a different password when doing "admin" things (more secure??) Some tools like kadmin have this as default behaviour

17 System root access Some documents suggest having separate principals for superuser access, e.g. username/root@REALMusername/root@REALM Authorize */root to login as root (or ksu) Again, user has multiple identities I think this muddles authentication vs authorization Can use sudo, but don't want to expose password Can allow sudo with NOPASSWD for wheel group membership of this group is my authorization

18 Other services HTTP (Apache) Authorize users via LDAP groups Doesn't work with apache 2.0 / mod_auth_ldap Use apache 2.2 / mod_authnz_ldap (Ubuntu, RHEL5+) Access to LDAP database itself OpenLDAP can be configured with rules to map principal to DN (olcAuthzRegexp) Then has its own ACL for DN authorization

19 Switches and Routers Some Cisco IOS images support Kerberos You need an alternative, e.g. RADIUS or TACACS+, for those which don't I tried it, and couldn't make it work :-( Supports authorization via instance mapping, e.g. myname/enable@FOO gives enable mode myname/enable@FOO Otherwise need to a static table in TACACS+ for authorisation, or build a TACACS+ to LDAP bridge There are also commercial solutions (SecureACS)

Download ppt "Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable."

Similar presentations

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Access Control List (ACL)

Access Control List (ACL)
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Active Directory and NT Kerberos Rooster JD Glaser.

Active Directory and NT Kerberos Rooster JD Glaser.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.

Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).

Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service

MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.

Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Centralised User Management. What's AAA? Authentication Who are you? Authorisation What are you allowed to do? Accounting What did you do?

Centralised User Management. What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?"
Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.

Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.

ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.

© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd

Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Introduction to Active Directory December 10th, 2008 1-3pm Daniels 407.

Introduction to Active Directory December 10th, pm Daniels 407.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Similar presentations

Ads by Google