Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos OLC Training What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also.

Similar presentations


Presentation on theme: "Kerberos OLC Training What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also."— Presentation transcript:

1 Kerberos OLC Training jdreed@mit.edu

2 What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also provides encryption. ● Provides an API that can used to “kerberize”any application

3 Why? ● Duh. Because of h@x0rz. ● Replace "authentication-by-assertion" (c.f. rlogin). ● Provides trusted authentication, and encryption. ● One password for every service (single sign-on)

4 v4 vs v5 ● v4 is considered dead - no further MIT development. ● v5 supports new features including: ● key salt uses the principal name (as opposed to nothing in v4) - eliminates cross-realm exploits ● tickets can be forwardable, renewable, postdatable, and proxiable ● algorithms other than DES can be used

5 v4 Services at MIT ● POP3 e-mail ● OLx services ● Moira ● Zephyr ● KNFS ● discuss ● IMAP

6 v5 Services at MIT ● telnet (also v4) ● ftp (also v4) ● ssh ● LPRng ● AFS ● Techtime ● Jabber

7 Components ● KDC (Key Dsitribution Center) ● Stores copies of pre-shared secrets ● Credentials Cache (v4: Ticket File) ● where Kerberos stores its shared secrets for the session. ● Keytab (v4: Srvtab) ● Pre-shared secrets for services ● Principal ● A user or service in a realm ● Realm ● Does not have to be related to DNS, but typically is. A realm includes all principals controlled by a master KDC

8 Components, cont. ● TGT - ticket granting ticket ● TGS - ticket granting service ● AS - Authenticator Service ● we'll talk more about how those differ

9 Instances ● An optional qualifier for the principal. For example, you need a principal for the "imap" service, but there are different pop servers. The hostname is the instance. ● v4: jdreed.extra@ATHENA.MIT.EDU v5: jdreed/extra@ATHENA.MIT.EDU ● v4: imap.po14@ATHENA.MIT.EDU v5:daemon/io.mit.edu@ATHENA.MIT.EDU

10 How it works (abstraction) ● User requests negotiation with service. ● KDC makes up session key, uses known shared secrets to encrypt 2 copies, sends back to user. ● User sends service's copy of key to service, service decrypts it, now they have a shared secret to negotiate encryption; service also decrypts timestamp.

11 More Detail ● Actually, what happens is the first time you get tickets, you request a TGT from the TGS (using the method in the previous slide) using the AS. ● Then, for future services, you request a ticket from the TGS. The reply is encrypted not with your password, but the with session key provided in the TGT.

12 Why all the fuss about time? ● Remember, this goes over the network. If you didn't make sure the clock skew was < 5 min, I could steal the authenticator, save it for later, and then become you.

13 Potential Weaknesses ● Assumes that only the network is vulnerable - attacker could insert self between user and application (ie: keystroke monitoring) ● Relies on filesystem security or physical security for keeping srvtab/keytab safe ● Assumes users will not pick stupid passwords (our implementation actually does do a dictionary check)

14 Encryption ● Kerberos != encryption; Kerberos := authentication. ● Authentication only: kpop, olx, discuss, moira, zephyr, eos, AFS* ● Auth + Encryption: ktelnet, kftp, klogin... ● AFS has encryption, but that’s unrelated.

15 Special Tickets ● Renewable: Ticket stores not only expiration date, but max lifetime. ● Proxiable: Specified IP addresses are allowed to present a TGT on to another service, but the recipient service can’t get a new TGT. ● Forwardable: Like proxiable, but the TGT can be used get other TGTs (ie: logging into the dialups via ssh)

16 Getting tickets ● kinit ● get tickets ● kinit -l 21h ● Get tickets for 21 hours ● kinit -r 2d ● Get tickets renewable for up to 2 days ● kinit -R to renew tickets ● kinit -f ● kinit -p ● forwardable and proxiable tickets, respectively

17 Other operations ● kinit -5 ● Only get version 5 tickets (or -4 for v4) ● klist ● Show your tickets ● kdestroy ● destroy your tickets ● kvno ● Check version number; check if principal exists

18 Further Reading ● comp.protocols.kerberos FAQ http://www.cmf.nri.navy.mil/CCS/people/kenh/kerberos-faq.html ● http://web.mit.edu/kerberos/www/


Download ppt "Kerberos OLC Training What is it? ● A three-headed dog that guards the entrance to Hades. ● A network authentication protocol that also."

Similar presentations


Ads by Google