The Jisc Moonshot Primer Jisc – Online Training

The Jisc Moonshot Primer The Jisc Moonshot Primer – Jisc – Online Training The Jisc Moonshot Primer What we’re going to cover What the hell is Moonshot anyway? An in-depth look at what Moonshot is How it (everything) works What it does and doesn’t do The big use case: non-web access!

What is Moonshot anyway? Jisc – Online Training

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web Why do we need this Moonshot thing anyway? You’ve heard of eduroam Federated network access through RADIUS You’ve heard of eduGAIN Federated web access through SAML Now we have ABFAB Provides for federated non-web access It’s a combination of the above

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web eduroam + RADIUS – How it works, a refresher!

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web eduGAIN + SAML – How it works, a refresher!

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web What is ABFAB? ABFAB… Stands for: Application Bridging for Federated Access Beyond the web Is a collection of 6 IETF RFCs and 1 draft RFC7055, RFC7056, RFC7057 RFC7831, RFC7832, RFC7833 Uses other technologies: RADIUS, SAML, GSSAPI Is… Moonshot

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web Some technology concepts (1 of 3) RADIUS – What is it? A UDP-based network authentication protocol Basic protection, anyone can decode traffic Also available over TCP Known as RadSec Runs over TLS-secured connections International eduroam infrastructures use this This is also what Moonshot uses

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web Some technology concepts (2 of 3) SAML – What is it? Security Assertion Markup Language Defines user attributes and authorisation information Personal data: Name, email address, etc. Affiliations: Are they staff, which department they’re in Non-personally identifiable unique identifiers When and where they’re allowed to log in Moonshot uses this for rich information release

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web Some technology concepts (3 of 3) GSSAPI Developed by MIT, is IETF RFC standardised 2 well-known mechanisms Kerberos (SSO in most OSes) SPNEGO (often used in WWW browsers) Others: GSI: Used in Globus (gsissh) grid computing SAML-EC: Fedushare project, in development Moonshot

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web What does Moonshot consist of? 4 parts to Moonshot The Client GSSAPI mechanism and a Credential Manager The Server / Gateway ≥ 1 per organisation in Moonshot network The Trust Router ≥ 1 per Moonshot network, usually run by NREN The APC 1 per Moonshot network, run by NREN

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot client The client mechanism (moonshot-gss-eap) Speaks GSSAPI + RADIUS It interfaces with the Credential Manager The Credential Manager (ID Card Selector) (moonshot-ui) Handles identities, stores them securely* Unix GUI: Gnome keyring Windows: Windows Credential Manager macOS: Mac Keychain Installed on every machine that does Moonshot

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot Server / Gateway / RP Proxy FreeRADIUS (v3) Adds dynamic realm support (more on that later) Adds channel bindings (in EAP message) Adds 4 new RADIUS attributes to each request GSS-Acceptor-Host/Realm/Service-Name Adds details about requesting system Accepts 4 new RADIUS attributes in response SAML-AAA-Assertion: SAML attribute statement! Moonshot-Host/Realm/COI-TargetedId: a unique ID One or more installed per organisation

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot Trust Router (1 of 2) Negotiation service Client (tidc, tids) Interacts with dynamic realm support in FreeRADIUS Installed on each IdP + RP Proxy Server (trust_router) Contacted by the client for each unknown request Installed at an NREN Example: Jisc Assent

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot Trust Router (2 of 2) Negotiation service Acts as a trusted party Provides 2 parties in a Moonshot request with Diffie- Hellman key halves to negotiate a direct TLS tunnel Manages the Moonshot network It knows everyone in the network Supports community of interest (COI) Constrains 2 parties in Moonshot request by policy

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot APC Authorization Policy Community (APC) The mother of the Moonshot network Only 1 in a Moonshot network Acts as the IdP of organisations in Moonshot Interacts with the Trust Router

ABFAB – Federated access beyond web The Jisc Moonshot Primer – Jisc – Online Training ABFAB – Federated access beyond web The Moonshot network components

How does Moonshot work? The simple version The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The simple version

How does Moonshot work? The simple version The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The simple version 1. Client makes a request to Service via GSSAPI 2. Service forwards the request to RP Proxy via RADIUS 3. Client creates EAP tunnel, RP Proxy shuttles EAP packets to Home IdP via RadSec (RADIUS over TLS) tunnel 4. Home IdP responds to RP Proxy with AuthN+AuthZ response 5. RP Proxy authorises the connection to the Service

How does Moonshot work? The simple version: Benefits The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The simple version: Benefits Static RadSec connections Home IdP needs to provide RP Proxy with their TLS CA certificate, client certificate + key Dead easy to configure, can be done with standard FR 3.0x Faster Initial requests faster – No key negotiation needed You can do this eduroam-style if you want to Your RP Proxy only needs to know the next level up Trust is manually configured (set up TLS to trusted parties)

How does Moonshot work? The simple version: Caveats The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The simple version: Caveats eduroam-style network Same problem as eduroam (shuttling requests from proxy to proxy can take time) Every proxy in the chain can access/modify the reply from the Home IdP When CA / client certs expire, everyone has to update the files and restart servers Well, it’s static (trust, certs, etc etc) Nuff sed!

How does Moonshot work? The complete version The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The complete version

How does Moonshot work? The complete version (1 of 2) The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The complete version (1 of 2) 1. Client makes a request to Service via GSSAPI 2. Service forwards the request to RP Proxy via RADIUS 3. RP Proxy forwards information query to Trust Router (who is this realm?) 4a. Trust Router asks RP Proxy to prove who it is 4b. Trust Router proves to the Home IdP who it is 4c. Trust Router gives RP Proxy + Home IdP ½ DH key 4d. RP Proxy + Home IdP negotiate a TLS tunnel

How does Moonshot work? The complete version (2 of 2) The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The complete version (2 of 2) 5. Client creates EAP tunnel, RP Proxy shuttles EAP packets to Home IdP via RadSec (RADIUS over TLS) tunnel 6. Home IdP responds to RP Proxy with AuthN+AuthZ response 7. RP Proxy authorises the connection to the Service Important: Steps 3 to 4d only necessary on initial contact or after TLS tunnel expires!

How does Moonshot work? The complete version: Benefits The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The complete version: Benefits Dynamic RadSec connections The Trust Router looks realms up on request, nothing static Dynamic trust (mesh) Trust Router trusts other party, you can too If trust is revoked, your own trust expires too (eventually) Faster TLS tunnel between RP Proxy and Home IdP only (no other parties!), even if you had eduroam-style network

How does Moonshot work? The complete version: Caveats Deferred Trust The Jisc Moonshot Primer – Jisc – Online Training How does Moonshot work? The complete version: Caveats Deferred Trust You must be able to trust a third party (Trust Router) Slower (sometimes) Initial requests are slower – Trust Router lookup song-and- dance (we’re making this faster) Tunnel expiry TLS tunnels only valid for a time Next request does the Trust Router song-and-dance We’re making this faster in newer versions of FR

The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? The long and short of it… back in the mists of time... Back when Moonshot was sketched out on a napkin Why not SAML? Why not OAuth2 / OpenID Connect? Why not eduroam? Why GSSAPI? All this is cute – Where’s the catch?

So – Why Moonshot? Why not SAML? SAML web profile is common The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? Why not SAML? SAML web profile is common Relies on user recognition! Alternative is SAML-ECP Uptake of ECP almost zero. Why? Difficulty configuring before Shibboleth 3 Distrust of clients requiring your user credentials Application support! Difficulty configuring on client FeduShare project fixes this, with Moonshot mechanism code! 😳

So – Why Moonshot? Why not OAuth2 / OIDC? The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? Why not OAuth2 / OIDC? No support for request / reply integrity EAP considered to be better suited Controversial! 😳 Request/response signing added in later Lack of federation support The protocols are point-to-point Federation support currently in design Application support OIDC WGs are welcome to fork Moonshot code!

So – Why Moonshot? Why not X.509? Lack of federation support The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? Why not X.509? Lack of federation support Trust is fixed (cross-signed certificates) We don’t need no federation support! User education User/pwd login easier for newbies (CSC HAKA study) Application support Applications don’t necessarily support X.509 Browsers do, modern OS crypto does too! GSSAPI (Kerberos/SPNEGO) support more widespread Key store integration problems

So – Why Moonshot? Why not eduroam? eduroam is 802.1x The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? Why not eduroam? eduroam is 802.1x Authentication of device, not user No SSO connection between network layer and GUI! eduroam agreements expressly limit AuthN to net access Application support Need something that speaks RADIUS / RadSec Like Moonshot mechanism? 😇 PAM? Security problem: PAM will know your user creds! 😳

So – Why Moonshot? So why GSSAPI? GSSAPI stands for… The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? So why GSSAPI? GSSAPI stands for… Generic Security Service API Proven in the wild ≥ 25 years with Kerberos + SPNEGO In grid computing environments with GSI too! Application support If application supports GSSAPI properly, it supports Moonshot! 😇 Caveat: Many applications assume 1-trip AuthN (Kerberos). Moonshot is >1 trip!

So – Why Moonshot? All this is cute – Where’s the catch? (1 of 3) The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? All this is cute – Where’s the catch? (1 of 3) Ahhhh… There is a catch! Moonshot is a GSSAPI mechanism Must be installed onto devices Limited OS acceptance (Debian + Ubuntu have packages) Classic problem: Not enough resource to do everything LTS (RHEL/Ubuntu) – Still using pre-Moonshot software Moonshot implementation needs callback interface In GUI interfaces this is fine (Dbus/CredMan/Keyring) In pure text interface there’s no callback to unlock keys!

So – Why Moonshot? All this is cute – Where’s the catch? (2 of 3) The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? All this is cute – Where’s the catch? (2 of 3) Limited use cases Moonshot doesn’t solve all problems! Classic cases Remote access: SSH (SCP via SSH tunnel sharing) Network file systems: NFSv4 proven to be Moonshottable Not built with proper GSSAPI support though HTTP (you can have SAML for UI cases) Console access: Via PAM (only if you trust the console!) PAM = client and server, has access to user credentials!

So – Why Moonshot? All this is cute – Where’s the catch? (3 of 3) The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? All this is cute – Where’s the catch? (3 of 3) What Moonshot doesn’t do Moonshot doesn’t have credential delegation/forwarding OIDC/SAML/Kerberos do How to fix this? Remote access: Use X-Forwarding in SSH Still a (expired) RFC draft Needs use cases for this!

So – Why Moonshot? The reality today Moonshot supports: The Jisc Moonshot Primer – Jisc – Online Training So – Why Moonshot? The reality today Moonshot supports: RHEL 6/7, Debian 7/8/9, Ubuntu 12/14/16 Windows 7 through 10 macOS is coming soon (El Capitan, Sierra, High Sierra) One Moonshot network: Jisc Assent – https://www.jisc.ac.uk/assent GÉANT currently suggests people join Assent May change its mind and run its own Trust Router service eventually (if there is demand)

The big use case: Non-web access! The Jisc Moonshot Primer – Jisc – Online Training The big use case: Non-web access! Non-web federated access (1 of 2) There are existing solutions Closed eco-systems that are not necessarily federated X.509: Worked fine for the last 20 years, why change? YAT / YAC: Yet Another Technology / Credential Isn’t this what we’re trying to eliminate? ‘Cludges’ for existing components Custom modules that do strange things Possibly require you to trust with user / pwd Require two-stage approaches Browse to web page first, get token, use token

The big use case: Non-web access! The Jisc Moonshot Primer – Jisc – Online Training The big use case: Non-web access! Non-web federated access (2 of 2) There are existing solutions ‘Custom-baked’ software Requires active maintenance When upstream changes, so must this What if maintainer gets run over by a bus? Sometimes it’s security by obscurity Credential forwarding / bearer tokens Trusting systems with privileges!

The big use case: Non-web access! The Jisc Moonshot Primer – Jisc – Online Training The big use case: Non-web access! Why this criticism? Previous slides are not criticism Proof that non-web federated access really is challenging! Science + IT ‘make do’ with what they can do in the short term This is not perfect, everyone understands this But can this be done better?

How does this fit into today’s world? The Jisc Moonshot Primer – Jisc – Online Training How does this fit into today’s world? How could Moonshot help? Moonshot is not a panacea, a wonder pill, but it can help Limited use cases, remember? It was designed for non-web federated access! Designed to keep credentials safe Credential stored on your system (like certificate key?) Moonshot mechanism can be copied + reused Example: Fedushare (SAML-EC). We don’t mind! OIDC could do the same. We don’t mind! Code is Open Source. Go forth and prosper!

How does this fit into today’s world? The Jisc Moonshot Primer – Jisc – Online Training How does this fit into today’s world? How could Moonshot help? Go and find out Run pilots See whether it fits into what you want to do Remember the caveats Is a client mechanism acceptable?

Your architecture Possibilities and challenges The Jisc Moonshot Primer – Jisc – Online Training Your architecture Possibilities and challenges Challenge: Use of web / non-web federation Moonshot supports both Moonshot is not widely adopted Currently some undesirable interactions in web modules mod_shib + mod_auth_gssapi Possibility: Fix that interactivity problem? Does mod_mellon fix the problem?

Your architecture Possibilities and challenges Challenge: LoA The Jisc Moonshot Primer – Jisc – Online Training Your architecture Possibilities and challenges Challenge: LoA LoA is not a technology problem, it’s a policy problem Just like SAML/OIDC Moonshot supports LoA Can ship LoA ‘stuff’ through SAML-AAA-Assertion

Your architecture Possibilities and challenges The Jisc Moonshot Primer – Jisc – Online Training Your architecture Possibilities and challenges Challenge: Unique identifiers Moonshot supports 3 by default Moonshot-Host-TargetedId Specific to the host Moonshot-Realm-TargetedId Specific to the realm used Moonshot-COI-TargetedId Specific to community of interest (COI) This could lead to ‘collusion’ problem Can also ship SAML ePTID etc in SAML-AAA-Assertion!

Your architecture Possibilities and challenges The Jisc Moonshot Primer – Jisc – Online Training Your architecture Possibilities and challenges Challenge: Attribute authorities (AAs) Moonshot can support supplementary AAs Currently not built-in RP Proxies can call on additional attribute authorities If they’re fast. Don’t delay user login! Possibility: We can bake that optional support into the code, why not!

The Moonshot Primer Moonshot? Where can I find more info? The Jisc Moonshot Primer – Jisc – Online Training The Moonshot Primer Moonshot? Where can I find more info? Moonshot Wiki: https://wiki.moonshot.ja.net/ Email me: stefan.paetow@jisc.ac.uk Skype me: stefan.paetow.janet Want to test a test system? Get in touch!