Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable.

Slides:



Advertisements
Similar presentations
Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.
Advertisements

Access Control List (ACL)
AUTHENTICATION AND KEY DISTRIBUTION
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
Active Directory and NT Kerberos Rooster JD Glaser.
Key distribution and certification In the case of public key encryption model the authenticity of the public key of each partner in the communication must.
Kerberos 1 Public domain image of Heracles and Cerberus. From an Attic bilingual amphora, 530–520 BC. From Italy (?).
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
MyProxy: A Multi-Purpose Grid Authentication Service
Access Control Chapter 3 Part 3 Pages 209 to 227.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Centralised User Management. What's AAA? Authentication "Who are you?" Authorisation "What are you allowed to do?" Accounting "What did you do?"
Active Directory® and Apache® Using Kerberos and Apache to Authenticate via Microsoft Active Directory.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
ISA 3200 NETWORK SECURITY Chapter 10: Authenticating Users.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 10 Authenticating Users By Whitman, Mattord, & Austin© 2008 Course Technology.
© 2005 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice Advanced Samba Administration Part.
Edwin Sarmiento Microsoft MVP – Windows Server System Senior Systems Engineer/Database Administrator Fujitsu Asia Pte Ltd
Introduction to Active Directory December 10th, pm Daniels 407.
MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.
SYSTEM ADMINISTRATION Chapter 13 Security Protocols.
70-294: MCSE Guide to Microsoft Windows Server 2003 Active Directory Chapter 9: Active Directory Authentication and Security.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Building a KDC. Kerberos Implementations RedHat 5 comes with MIT Kerberos 1.6 Ubuntu LTS comes with MIT Kerberos Admin through CLI, but from.
Authenticating Users Chapter 6. Learning Objectives Understand why authentication is a critical aspect of network security Describe why firewalls authenticate.
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain in.
Kerberos: An Authentication Service for Open Network Systems Jennifer G. Steiner Clifford Neuman Jeffrey I. Schiller.
Adding New Users User as an entity - username(UID), GID. UID - typically a number for system to identify the user. GID – a number that recognizes a set.
SSL, Single Sign On, and External Authentication Presented By Jeff Kelley April 12, 2005.
Slides copyright 2010 by Paladin Group, LLC used with permission by UMBC Training Centers, LLC.
Unit 1: Protection and Security for Grid Computing Part 2
Authentication Applications Unit 6. Kerberos In Greek and Roman mythology, is a multi-headed (usually three-headed) dog, or "hellhound” with a serpent's.
Single Sign-on with Kerberos 1 Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
User Access to Router Securing Access.
Managing Users  Each system has two kinds of users:  Superuser (root)  Regular user  Each user has his own username, password, and permissions that.
Chapter 3 & 6 Root Status and users File Ownership Every file has a owner and group –These give read,write, and execute priv’s to the owner, group, and.
Single Sign-On across Web Services Ernest Artiaga CERN - OpenLab Security Workshop – April 2004.
Securing Sensitive Information Data Security Dashboards often contain the most important data in the company Securing that information makes business.
Kerberos By Robert Smithers. History of Kerberos Kerberos was created at MIT, and was named after the 3 headed guard dog of Hades in Greek mythology Cerberus.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
MEMBERSHIP AND IDENTITY Active server pages (ASP.NET) 1 Chapter-4.
Permissions Lesson 13. Skills Matrix Security Modes Maintaining data integrity involves creating users, controlling their access and limiting their ability.
1 Kerberos – Private Key System Ahmad Ibrahim. History Cerberus, the hound of Hades, (Kerberos in Greek) Developed at MIT in the mid 1980s Available as.
Host Security Overview Onion concept of security Defense in depth How secure do you need to be? You can only reduce risk Tradeoffs - more security means:
VIRTUAL HOSTING WITH PureFTPd And MYSQL (Quota And Bandwidth Management) BY Odoh Kenneth Emeka Sun Yu Patrick Appiah.
Kerberos in an ISP environment
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Advanced Authentication Campus-Booster ID: Copyright © SUPINFO. All rights reserved Kerberos.
Introduction to AFS IMSA Intersession 2003 Managing AFS Services Brian Sebby, IMSA ‘96 Copyright 2003 by Brian Sebby, Copies of these slides.
The Pennsylvania State University © 2007 Web-Based Access Control for ITS Web Services, Present and Future Jeffrey C. D’Angelo, Programmer/Analyst, Enabling.
4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Active Directory and NT Kerberos. Introduction to NT Kerberos v5 What is NT Kerberos? How is it different from NTLM NT Kerberos vs MIT Kerberos Delegation.
Active Directory Domain Services (AD DS). Identity and Access (IDA) – An IDA infrastructure should: Store information about users, groups, computers and.
Vmware 2V0-621D Vmware Exam Questions & Answers VMware Certified Professional 6 Presents
Kerberos Miha Pihler MVP – Enterprise Security Microsoft Certified Master | Exchange 2010.
1 Example security systems n Kerberos n Secure shell.
Lightweight Directory Access Protocol Objectives –This chapter will first show you how to install and use LDAP Contents –The LDAP Database Structure –Scenario.
SSSD System Security Services Daemon. 2 Manages communication with centralized identity and authentication stores Provides robust, predictable caching.
19 Copyright © 2008, Oracle. All rights reserved. Security.
NTP, Syslog & Secure Shell
Grid Security.
Radius, LDAP, Radius used in Authenticating Users
Extending Active Directory Authentication and Account Management To Solaris 10 Systems A HOWTO guide for joining a Solaris 10 (8/07) host to a domain.
Lab 1 introduction, debrief
Cisco Real Exam Dumps IT-Dumps
Single Sign-on with Kerberos
Kerberos in an ISP environment
Presentation transcript:

Kerberos on Servers "host" means ssh/telnet login to the server itself "service" means applications like HTTP, POP3 In both cases you need to: 1. Enable Kerberos authentication in the software 2. Create a principal in the KDC 3. Put the corresponding key in a keytab file What Microsoft calls "joining a domain" Not much harder than adding clients

Kerberised sshd Note: don't set "KerberosAuthentication yes" That really means password login, with the password checked against KDC True Kerberos doesn't send the password at all When properly deployed you can turn off ssh password authentication completely! # editor /etc/ssh/sshd_config... GSSAPIAuthentication yes GSSAPIKeyExchange yes # when available...

Creating the keytab Option 1: run kadmin on the target itself, using kerberos administrator account. strong random key; copy across net is encrypted # kadmin -p username/admin addprinc -randkey host/pcN.ws.nsrc.org ktadd host/pcN.ws.nsrc.org Option 2: extract keytab on another machine, copy to target e.g. with scp Option 3: set passphrase on KDC, use ktutil on target with same passphrase (awkward in practice)

Kerberised Apache mod_auth_kerb in Ubuntu 8.04, RHEL 4 &up AuthName "Hello Kerberos World" AuthType Kerberos # Allow fallback to Basic Auth? KrbMethodK5Passwd Off KrbAuthRealms WS.NSRC.ORG Krb5Keytab /etc/apache2/krb5/krb5.keytab # TODO: LDAP authorisation # require user require valid-user

Kerberised Apache Create a service principal and a keytab which is readable to the Apache user ("www-data") Depending on clients, may need to include principals for both virtual server name and real server name # mkdir /etc/apache2/krb5 # kadmin -p username/admin addprinc -randkey HTTP/noc.ws.nsrc.org ktadd -k /etc/apache2/krb5/krb5.keytab \ HTTP/noc.ws.nsrc.org ^D # chown -R www-data:www-data /etc/apache2/krb5 # chmod 550 /etc/apache2/krb5 # chmod 440 /etc/apache2/krb5/krb5.keytab

Authorization

Tickets aren't authorization A ticket is proof of your identity to a particular endpoint - nothing more (*) You can ask for tickets to prove your identity to any principal you like. KDC doesn't care. Sounds a bit like certificates? It is! Uses symmetric cryptography instead of public/private Hence you need a separate ticket for each endpoint But symmetric crypto is cheap and fast (*) Microsoft has bastardized the concept by including "Privilege Access Certificates" (PACs) in tickets. In large AD deployments tickets can become huge, and hence logins slow.

Login authorization sshd needs to decide whether to allow a particular principal to login as a particular user Default rule: map to system user Default denies all users in other realms You can add explicit authorization by putting principal name(s) into ~/.k5login Like adding a key to ~/.ssh/authorized_keys, but simpler

Login authorization (cont) But we also need to know what uid for user "foo", what groups they are in, their home directory etc We don't want to distribute /etc/passwd files! So configure system to use LDAP database for passwd and group info Can restrict logins to particular groups (pam_access) LDAP communication needs to be strongly protected, by Kerberos or TLS LDAP is controlling privileges, so it's very important that it's secure

libnss nscd libnss_ldap getpwnam LDAP query local files

Configuring LDAP /etc/ldap.conf [man nss_ldap] LDAP server and base DN; attribute mapping /etc/nsswitch.conf use LDAP for passwd, shadow, group /etc/nscd.conf /etc/cron.hourly/kerberos obtain Kerberos ticket for name service caching daemon to be able to query LDAP Make your own tarball to deploy

Exercise Part one: set up your machine to accept Kerberos authenticated logins Part two: set up your machine to use LDAP for uid/gid mapping We're doing it manually, but remember in real life you'd deploy a tarball/package/script etc

More authorization scenarios

Kerberos admin (kadmin) Certain people are authorized to add/modify/remove other principals via kadmin This is security critical How do we control it?

Option 1 List all the authorized entities in the KDC ACL * * * Advantages: Clean separation of "authentication" and "authorization" Disadvantages: Need to edit a file on the KDC to amend the ACL

Option 2 Admin users have a second identity: Pattern-matching ACL in the KDB * Advantages: The ACL never needs adjusting You have to enter a different password when doing "admin" things (more secure??) Some tools like kadmin have this as default behaviour

System root access Some documents suggest having separate principals for superuser access, e.g. Authorize */root to login as root (or ksu) Again, user has multiple identities I think this muddles authentication vs authorization Can use sudo, but don't want to expose password Can allow sudo with NOPASSWD for wheel group membership of this group is my authorization

Other services HTTP (Apache) Authorize users via LDAP groups Doesn't work with apache 2.0 / mod_auth_ldap Use apache 2.2 / mod_authnz_ldap (Ubuntu, RHEL5+) Access to LDAP database itself OpenLDAP can be configured with rules to map principal to DN (olcAuthzRegexp) Then has its own ACL for DN authorization

Switches and Routers Some Cisco IOS images support Kerberos You need an alternative, e.g. RADIUS or TACACS+, for those which don't I tried it, and couldn't make it work :-( Supports authorization via instance mapping, e.g. gives enable mode Otherwise need to a static table in TACACS+ for authorisation, or build a TACACS+ to LDAP bridge There are also commercial solutions (SecureACS)

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.