Presentation is loading. Please wait.

Presentation is loading. Please wait.

HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY."— Presentation transcript:

1 HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY

2 HEPNT/HEPiX meeting Oct 6, 1999 2 Motivation  User authentication at our site is based on Kerberos  Nearly all services made Kerberos aware (xdm, ftp,...)  IMAP4 with the UW imapd was not kerberized  Clear text passwords were sent for imapd auth  Had to maintain UNIX passwords because of imapd

3 HEPNT/HEPiX meeting Oct 6, 1999 3 Goals Stay with the present imapd server (UW) Get rid of clear text passwords by using imapd with SSL: u encrypting the communication Get rid of UNIX passwords by using imapd with Kerberos: u check password against Kerberos or u sending encrypted data to authenticate

4 HEPNT/HEPiX meeting Oct 6, 1999 4 Solution 1: Authentication with Kerberos Make use of the PAM support on several platforms  link imapd including the pam library Advantages:  no source code modification required  encrypted UNIX password no longer needed Disadvantage:  Passwords go in clear over the line

5 HEPNT/HEPiX meeting Oct 6, 1999 5 Solution 2: Making imapd Kerberos aware  imapd / pine comes with client side Kerberos support  server side support added by Michael Matz  compiled pine and imapd with Kerberos authenticator Advantage:  no password required with valid token Disadvantages:  Clear password transmission without valid token  no other Kerberos aware clients except pine

6 HEPNT/HEPiX meeting Oct 6, 1999 6 Solution 3: Accepting SSL connections  Made imapd SSL aware by replacing the socket read and write calls (recipe by Andy Polyakov, appro@fy.chalmers.se)  Separate server listening on port 993  Is known to work at least on Solaris  Requires a certificate authority Advantages:  works with Netscape, Internet explorer  no longer any clear text passwords Disadvantages :  lacking SSL support in pine, wrapper required  speed, whole session gets encrypted

7 HEPNT/HEPiX meeting Oct 6, 1999 7 Alternate solutions for SSL support  Use unmodified imapd and unmodified clients with available wrappers, e.g: u stunnel u bjorb u wrapssl Advantage:  ease of installation Disadvantage:  Wrappers (daemons) required on each host

8 HEPNT/HEPiX meeting Oct 6, 1999 8 Our final solution: Kerberos and SSL  Two running servers: u kerberized imapd on port 143 u SSL aware kerberized imapd on port 993  Kerberos aware client: pine  SSL aware clients: Netscape and Internet Explorer  pine made SSL aware by Michael Matz (9/99)

9 HEPNT/HEPiX meeting Oct 6, 1999 9 Conclusions  Reached our goals  Kerberized imapd used at Zeuthen since 8/99  Hamburg will follow, if test phase successful  SSL aware pine (pinessl or spine) comes next  Patches available

10 HEPNT/HEPiX meeting Oct 6, 1999 10 Resources  imapd with SSL: http://fy.chalmers.se/~appro/ssl_inetd.htm  pine with SSL: ftp://ftp.ifh.de/pub/unix/mail/pine4.10-ssl.diff.gz  kerberized imapd: ftp://ftp.ifh.de/pub/unix/mail/imap-4.6-kerberos.diff.tgz  stunnel: http://mike.daewoo.com.pl/computer/stunnel  bjorb: http://www.hitachi-ms.co.jp/bjorb/en/

Download ppt "HEPNT/HEPiX meeting Oct 6, 1999 1 Securing mail access with Kerberos and SSL Wolfgang Friebel DESY."

Similar presentations

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.
CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),

CSE 461 Section. “Transport Layer Security” protocol Standard protocol for encrypting Internet traffic Previously known as SSL (Secure Sockets Layer),
BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.

BASIC CRYPTOGRAPHY CONCEPT. Secure Socket Layer (SSL)  SSL was first used by Netscape.  To ensure security of data sent through HTTP, LDAP or POP3.
Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.

Password? CLASP Project Update C5 Meeting, 16 June 2000 Denise Heagerty, IT/IS.
INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS 69995 – Dr. RothsteinSummer 2013.

INTEGRATING NETWORK CRYPTOGRAPHY INTO THE OPERATING SYSTEM BY ANTHONY GABRIELSON HAIM LEVKOWITZ Mohammed Alali | CS – Dr. RothsteinSummer 2013.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.

Kerberos Jean-Anne Fitzpatrick Jennifer English. What is Kerberos? Network authentication protocol Developed at MIT in the mid 1980s Available as open.
6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)

6/3/2015topic1 Web Security Qiang Yang Simon Fraser University Thanks: Francis Lau (HKU)
Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.

Secure Shell – SSH Tam Ngo Steve Licking cs265. Overview Introduction Brief History and Background of SSH Differences between SSH-1 and SSH- 2 Brief Overview.
X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster

X.509 at the University of Michigan CIC-RPG Meeting June 7, 1999 Kevin Coffman Bill Doster
A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.

A CHAT CLIENT-SERVER MODULE IN JAVA BY MAHTAB M HUSSAIN MAYANK MOHAN ISE 582 FALL 2003 PROJECT.
SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.

SSH : The Secure Shell By Rachana Maheswari CS265 Spring 2003.
1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.

1 PLuSH – Mesh Tree Fast and Robust Wide-Area Remote Execution Mikhail Afanasyev ‧ Jose Garcia ‧ Brian Lum.
EECC694 - Shaaban #1 lec #16 Spring2000 5-4-2000 Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.

EECC694 - Shaaban #1 lec #16 Spring Properties of Secure Network Communication Secrecy: Only the sender and intended receiver should be able.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
File Transfer Protocol (FTP)

File Transfer Protocol (FTP)
SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004

SSL (Secure Socket Layer) and Secure Web Pages Rob Sodders, University of Florida CIS4930 “Advanced Web Design” Spring 2004
Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.

Secure Remote Access to an Internal Web Server Christian Gilmore, David Kormann, and Aviel D. Rubin ATT Labs - Research “The security policy usually amounts.
SSH Secure Login Connections over the Internet

SSH Secure Login Connections over the Internet

Similar presentations

Ads by Google