HEPNT/HEPiX meeting Oct 6, Securing mail access with Kerberos and SSL Wolfgang Friebel DESY
HEPNT/HEPiX meeting Oct 6, Motivation User authentication at our site is based on Kerberos Nearly all services made Kerberos aware (xdm, ftp,...) IMAP4 with the UW imapd was not kerberized Clear text passwords were sent for imapd auth Had to maintain UNIX passwords because of imapd
HEPNT/HEPiX meeting Oct 6, Goals Stay with the present imapd server (UW) Get rid of clear text passwords by using imapd with SSL: u encrypting the communication Get rid of UNIX passwords by using imapd with Kerberos: u check password against Kerberos or u sending encrypted data to authenticate
HEPNT/HEPiX meeting Oct 6, Solution 1: Authentication with Kerberos Make use of the PAM support on several platforms link imapd including the pam library Advantages: no source code modification required encrypted UNIX password no longer needed Disadvantage: Passwords go in clear over the line
HEPNT/HEPiX meeting Oct 6, Solution 2: Making imapd Kerberos aware imapd / pine comes with client side Kerberos support server side support added by Michael Matz compiled pine and imapd with Kerberos authenticator Advantage: no password required with valid token Disadvantages: Clear password transmission without valid token no other Kerberos aware clients except pine
HEPNT/HEPiX meeting Oct 6, Solution 3: Accepting SSL connections Made imapd SSL aware by replacing the socket read and write calls (recipe by Andy Polyakov, Separate server listening on port 993 Is known to work at least on Solaris Requires a certificate authority Advantages: works with Netscape, Internet explorer no longer any clear text passwords Disadvantages : lacking SSL support in pine, wrapper required speed, whole session gets encrypted
HEPNT/HEPiX meeting Oct 6, Alternate solutions for SSL support Use unmodified imapd and unmodified clients with available wrappers, e.g: u stunnel u bjorb u wrapssl Advantage: ease of installation Disadvantage: Wrappers (daemons) required on each host
HEPNT/HEPiX meeting Oct 6, Our final solution: Kerberos and SSL Two running servers: u kerberized imapd on port 143 u SSL aware kerberized imapd on port 993 Kerberos aware client: pine SSL aware clients: Netscape and Internet Explorer pine made SSL aware by Michael Matz (9/99)
HEPNT/HEPiX meeting Oct 6, Conclusions Reached our goals Kerberized imapd used at Zeuthen since 8/99 Hamburg will follow, if test phase successful SSL aware pine (pinessl or spine) comes next Patches available
HEPNT/HEPiX meeting Oct 6, Resources imapd with SSL: pine with SSL: ftp://ftp.ifh.de/pub/unix/mail/pine4.10-ssl.diff.gz kerberized imapd: ftp://ftp.ifh.de/pub/unix/mail/imap-4.6-kerberos.diff.tgz stunnel: bjorb: