Presentation is loading. Please wait.

Presentation is loading. Please wait.

Kerberos in an ISP environment

Similar presentations


Presentation on theme: "Kerberos in an ISP environment"— Presentation transcript:

1 Kerberos in an ISP environment
UNIX/Win2K/Cisco > Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team - > Sébastien LACOSTE-SERIS Security Officer - IP Research & Development Manager - version 1.2

2 Agenda  Kerberos > Introduction : why did we choose Kerberos ?
> Protocol and Exchanges > Attacks  Deployment > UNIX > Cisco Routers and Switches > Win2K  Q&A © 2001 Sécurité.Org

3 What is Kerberos ?  Kerberos is a network authentication protocol/system  Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks  Mutual authentication  Uses DES, 3DES and shared keys  Trusted third party © 2001 Sécurité.Org

4 What is Kerberos not ?  Kerberos does not provide authorization only
authentication  Kerberos does not provide data encryption © 2001 Sécurité.Org

5 Why use Kerberos ?  Secure authentication (cryptography)
 No password transmission  Single Sign On > SSO is bad for security (Bruce Schneier)  Centralized authentication management  IETF Standard (RFC 1510) © 2001 Sécurité.Org

6 Kerberos vocabulary (1)
 KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys  principal : three-tuple <primary name, instance, realm> > user : > service :  primary : username or service name  instance : “qualifies” the primary (role)  realm : authentication domain © 2001 Sécurité.Org

7 Kerberos vocabulary (2)
 keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB (Cisco).  client : an entity that can obtain a ticket (user or host)  service : host, ftp, krbtgt, pop, etc.  ticket : credentials (identity of a client for a particular service)  TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm. © 2001 Sécurité.Org

8 Key Distribution Center
 Responsible for maintaining master keys for all principles and issuing Kerberos tickets  Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT)  Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS) © 2001 Sécurité.Org

9 Realms  A Realm is an authentication domain
> one Kerberos database and a set of KDCs  Hierarchical organization (new in v5)  One or two way authentication  Cross-realm authentication > transitive cross-realm > direct between realms © 2001 Sécurité.Org

10 Kerberos Protocol (1)  Kerberos Ticket Encrypted Domain
Principal Name Ticket Flags Encryption Key Start Time End Time Host Address Authorization Data Encrypted © 2001 Sécurité.Org

11 Kerberos Protocol (2)  Kerberos Ticket Exchanges  Ports :
kinit: /udp kpasswd (Unix): 749/tdp kpasswd (Win): 464/{tcp,udp} Key Distribution Center Authentication Service Ticket Granting Service User Network Service © 2001 Sécurité.Org

12 Kerberos Protocol (3)  Getting a Ticket Granting Ticket (1+2)
> (1) TGT Request > (2) TGT (to be decrypted with the user’s password hash) Client KDC TGT Request (1) TGT (2) © 2001 Sécurité.Org

13 Kerberos Protocol (4)  Getting and using a Service Ticket (3+4+5)
> (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication KDC ST Request (3) Client ST and SK (4) ST (5) Server © 2001 Sécurité.Org

14 NAT issues  Host address is included in the tickets (recommended)
 Need to add NATed IP address in the ticket  Patch for MIT Kerberos 5.1  Create TGT without address (not recommended) : kinit -A <principal> © 2001 Sécurité.Org

15 Attacks against Kerberos (1)
 Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (  Replay attacks : detected (C+S are time synchronized)  Exposed keys : keys have a limited lifetime but are multi-session keys  Temporary file vulnerability : run krb © 2001 Sécurité.Org

16 Attacks against Kerberos (2)
 Passwords guessing : use a good passphrase  Trojaned clients : OTP  Implicit trust between realms  Ticket forwarding  Others : KDC, shared workstations, ... © 2001 Sécurité.Org

17 *NIX clients  RedHat (6.2 and 7) provides Kerberos V support
> Install patch RHSA-2001:025-14  OpenBSD and Solaris 2.8 now support Kerberos V  Solaris < 2.8 only provides Kerberos IV © 2001 Sécurité.Org

18 Kerberos V on *NIX clients (1)
 Authentication managed by Kerberos API  Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like)  PAM alternatives © 2001 Sécurité.Org

19 Kerberos V on *NIX clients (2)
 Kerberized Telnet : available  Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > Kerberos V Patches available for OpenSSH : > OpenSSH w/ Kerberos V on RedHat 7.1 © 2001 Sécurité.Org

20 Kerberos V on Cisco equipment (1)
 Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined)  Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support) © 2001 Sécurité.Org

21 Kerberos V on Cisco equipment (2)
 IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements : Hint: always check with the Cisco IOS Feature Navigator © 2001 Sécurité.Org

22 Kerberos V on Cisco equipment (3)
 Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH kerberos srvtab entry ... kerberos server COLT.CH kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server © 2001 Sécurité.Org

23 Kerberos V on Cisco equipment (4)
 CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x > Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements : Hint: always check the Release Notes © 2001 Sécurité.Org

24 Kerberos V on Cisco equipment (5)
 Switch Configuration : #kerberos set kerberos local-realm COLT.CH set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH set kerberos srvtab entry ... #authentication set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary #ntp set ntp client enable set ntp server © 2001 Sécurité.Org

25 Kerberos V on Win2K stations (1)
 Provides Kerberos authentication for interactive logons  The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority)  Ticket cache is provided by the LSA  Telnetd supports Kerberos © 2001 Sécurité.Org

26 Kerberos V on Win2K stations (2)
 Support Tools  Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser localuser ksetup /mapuser * *  Windows Time Server (+ registry)  No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org

27 That’s all folks :-)  Latest version
< >  Q&A Picture: © 2001 Sécurité.Org


Download ppt "Kerberos in an ISP environment"

Similar presentations


Ads by Google