Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton (Red Hat/Samba Team )

Published byValentine Malone Modified over 8 years ago

Similar presentations

Presentation on theme: "1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton (Red Hat/Samba Team )"— Presentation transcript:

1 1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton jlayton@samba.org (Red Hat/Samba Team )

2 2 9/29/2016 Who am I? ● Member of filesystem engineering team at Red Hat since 2006 ● Joined worldwide Samba team in 2008 ● Primarily work on CIFS and NFS, but I also dabble some in generic VFS layer (and other places) ● Wrote most of the in-kernel parts of the krb5 upcall mechanism for CIFS

3 3 9/29/2016 Overview Basic Kerberos Configuration for CIFS + krb5 Problems with current implementation Deployment scenarios/recommendations Future improvements

4 4 9/29/2016 Brief History of Kerberos ● Invented at MIT, first publication of v4 in the 1980's ● v5 published in 1993 ● Most unix-like OS's have had it for years ● Microsoft adopted it as the basis of its authentication model with Windows 2000

5 5 9/29/2016 What is Kerberos? ● Secure authentication over insecure networks: ● A way for people and machines in the “realm” (aka “domain”) to verify their identity to one another without exposing passwords to the network. ● Relies on a trusted 3 rd party – the Key Distribution Center (KDC) ● All entities (users and services) are considered “principals” to the KDC ● Authentication is mutual

6 6 9/29/2016 Overview of Krb5 Auth 1) Get Ticket Granting Ticket (TGT) 2) Use TGT to get service ticket 3) Use service ticket to establish server session

7 7 9/29/2016 Krb5 Principal Format primary/instance@REALM primary: user or service name instance: additional qualifier: usually FQDN for service principals. Often “/admin” for user principals. realm: all principals are unique within a realm. Convention is to use DNS domain name in uppercase.

8 8 9/29/2016 Examples of Principals User Principals: jlayton@EXAMPLE.COM jlayton/admin@EXAMPLE.COM Service Principals: host/server.example.com@EXAMPLE.COM cifs/server.example.com@EXAMPLE.COM

9 9 9/29/2016 GSSAPI and SPNEGO GSSAPI: Generic Security Services Application Programming Interface. A standard plugin interface for authentication schemes. SPNEGO: Simple Protected GSSAPI Negotiation Mechanism. A way for client and server to agree on an authentication method to use.

10 10 9/29/2016 CIFS krb5 authenticaton Client sends NegProt req with extended security bit set Server replies with list of auth methods that it supports (via SPNEGO) Client sends session setup with SPNEGO blob that contains krb5 ticket

11 11 9/29/2016 CIFS krb5 mount process 1) mount.cifs reqests krb5 auth 2) cifs calls into keys API for SPNEGO blob 3) keys api calls out to request_key 4) request_key calls cifs.upcall which gets SPNEGO blob

12 12 9/29/2016 System Reqs for CIFS+Krb5 Linux kernel that supports SPNEGO upcalls Support first went into mainline in 2.6.24 Client Configured for krb5 (/etc/krb5.conf) /sbin/request-key Usually part of the “keyutils” package /usr/sbin/cifs.upcall Part of samba package – usually bundled with mount.cifs program Was originally called cifs.spnego

13 13 9/29/2016 /etc/request-key.conf Tells request-key program what program it should run and how. /etc/request-key.conf: #OPERATION TYPE D C PROGRAM ARG1 ARG2... ========== =========== = = ======================== create cifs.spnego * * /usr/sbin/cifs.upcall -c %k create dns_resolver * * /usr/sbin/cifs.upcall %k

14 14 9/29/2016 NFS Mount Model “Traditional” network filesystem for unix is NFS User creds are sent to the server in each call No one “owns” the connection to the server

15 15 9/29/2016 CIFS Mount Model Today Only one CIFS session per mount One set of credentials per CIFS session Other users who use the mount are using the creds for the user who “owns” the mount

16 16 9/29/2016 Simple Mount with krb5 Get a krb5 ticket for the user as whom you'll be authenticating. Then mount the share with the sec=krb5 option # kinit testuser@EXAMPLE.COM Password for testuser@EXAMPLE.COM: # mount -t cifs -o sec=krb5 \ //server.example.com/export /mnt/cifs

17 17 9/29/2016 POSIX Extensions CIFS enables POSIX extensions by default Problems with modes and ownership: uid/gid may not match on client and server uid=/gid= mount options override ownership but not mode. The result is permissions that have no basis in reality. all ops on the server are done using mount creds, but VFS enforces these permissions locally. The client's VFS may limit a user from doing ops that the server would allow

18 18 9/29/2016 CIFS MultiuserMount When there are multiple sessions to the same server, use one that's owned by my UID Can be enabled via: /proc/fs/cifs/MultiuserMount Problems with this approach: Requires a separate mount for each user Users w/o a mount use “default” creds Permissions and file ownership, writeback...

19 19 9/29/2016 So there are problems... Summary: POSIX extensions aren't terribly useful as implemented by CIFS VFS...neither is MultiuserMount Recommendations: Limit permissions to the user who owns the creds Maybe disable unix extensions altogether?

20 20 9/29/2016 User mounts in /etc/fstab mount(8) allows unprivileged users to mount filesystems if: /bin/mount and mount helper are setuid root the user owns the mountpoint mount is in /etc/fstab with “user” option (distinct from user= option that CIFS uses)

21 21 9/29/2016 User mounts in /etc/fstab /etc/fstab: //server/share /home/testuser/cifs \ sec=krb5,user,nounix,file_mode=0700, \ dir_mode=0700,noauto 0 0 Then, as unprivileged user: testuser@client$ kinit Password for testuser@EXAMPLE.COM: testuser@client$ mount /home/testuser/cifs

22 22 9/29/2016 Using autofs Another possibility is to use autofs: jlayton \ -fstype=cifs,sec=krb5,uid=$UID,gid=$GID \ \\\\server.example.com\\jlayton How do we ensure that the “right” user gets the mount?

23 23 9/29/2016 Using pam_mount Linux PAM module that can mount filesystems on login Users can configure their own set of mounts (within limits set by admin) Most useful when combined with pam_krb5 Need support for passing name of credcache to cifs.upcall

24 24 9/29/2016 Using pam_cifs Similar to pam_mount, but specific to CIFS Main feature over pam_mount seems to be LDAP integration Would probably be more useful if the ldap integration were just added to pam_mount

25 25 9/29/2016 Near-term improvements: Tighten up default permissions on mounts w/o POSIX extensions (patch proposed) Don't forcibly override uid/gid when POSIX extensions are enabled (patch proposed) Support for non-default credcaches (RFC patchset proposed) Reverse name resolution support for getting host principals (not yet done)

26 26 9/29/2016 Future Directions... Unprivileged mounts? Miklos Szeredi is working on some patches for this. Private namespace mounts? In-kernel today, needs better userspace support to make them per-user. How to attach processes that aren't part of “session”? Multi-session CIFS mounts? Establish sessions on the fly. To user, would look more like the way NFS works. How do we handle ownership when POSIX extensions are off?

27 27 9/29/2016 Future Discussion What mount model makes the most sense to you? linux-cifs-client@lists.samba.org

Download ppt "1 9/29/2016 Kerberos Authentication with the Linux Kernel CIFS Client Jeff Layton (Red Hat/Samba Team )"

Similar presentations

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.

Kerberos Authentication. Kerberos Requires shared secret with KDC ( perhaps not for PKINIT) Shared session key established Time synchronization needed.
AUTHENTICATION AND KEY DISTRIBUTION

AUTHENTICATION AND KEY DISTRIBUTION
Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi

Supervisor :Dr. Lo'ai Ali Tawalbeh Done by: Wa’el Musa Hadi
Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.

Security Protocols Sathish Vadhiyar Sources / Credits: Kerberos web pages and documents contained / pointed.
Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.
Chapter 14 – Authentication Applications

Chapter 14 – Authentication Applications
Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.

Authentication Applications. will consider authentication functions will consider authentication functions developed to support application-level authentication.
Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.

Kerberos Part 2 CNS 4650 Fall 2004 Rev. 2. PARC Once Again Once again XEROX PARC helped develop the basis for wide spread technology Needham-Schroeder.
Akshat Sharma Samarth Shah

Akshat Sharma Samarth Shah
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.

Remote Name Mapping for Linux NFSv4 Andy Adamson Center For Information Technology Integration University of Michigan August 2005.
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.

Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.

Windows 2000 Kerberos Interoperability Paul Hill Co-Leader, Kerberos Development Team MIT John Brezak Program Manager Windows 2000 Security Microsoft.
National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.

National Center for Supercomputing Applications Integrating MyProxy with Site Authentication Jim Basney Senior Research Scientist National Center for Supercomputing.
Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.
Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.

Use of Kerberos-Issued Certificates at Fermilab Kerberos  PKI Translation Matt Crawford & Dane Skow Fermilab.
Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.

Challenges Running an NFSv4- backed OSG Cluster Kevin Coffman Center for Information Technology Integration University of Michigan.
Understanding Active Directory

Understanding Active Directory
Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.

Condor Project Computer Sciences Department University of Wisconsin-Madison Security in Condor.
Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Authentication June 24/2003. Overview Terminology Local Passwords Early Password Services Kerberos Basics Tickets Ticket Acquisition Kerberos Authentication.

Similar presentations

Ads by Google