kerberos : the network authentification protocol
TRANSCRIPT
Kerberos
The Network Authentication Protocol
1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
2
Les formations du plein emploi !
Formation Continue
Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.
Pour vos demandes : [email protected]
Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
3
Nos domaines de formations
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Plan
1 The Kerberos Protocol
2 Kerberos implementations
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Network Authentication
Today, most authentication protocols consist in :
client sends login (in clear)
client sends password (in clear)
server checks login/password against its database
Problems :
cleartext (enclosing the whole session in TLS mitigates this)
you need to authenticate every time you use a service
every server needs an up-to-date copy of the passworddatabase
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Enter Kerberos
Kerberos is :
an authentication mechanismNOT a directoryNOT an authorization mechanismcentralized : only one password database, servers no longerstore passwordssecurity-focused : it can run safely over insecure networks(eavesdropping, replay...)SSO : you only use you password once
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
The big picture
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Kerberos and the DNS
Kerberos relies on DNS to find servers and principals
Which realm a particular host belongs to :
kerberos.part.of.fqdn TXT "KERBEROS.TLD"
What servers to contact for this realm
kerberos. udp.realm SRV 0 0 88 krbsrv
kerberos-master. udp.realm SRV 0 0 88 krbsrv
kerberos-adm. tcp.realm SRV 0 0 749 krbsrv
kpasswd. udp.realm SRV 0 0 464 krbsrv
Kerberos uses reverse DNS to find the principal attached to a host
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Vocabulary
Ticket : cryptographic material exchanged by parties
TGT : Ticket-Granting Ticket
ST : Service Ticket
KDC : Key Distribution Server
AS : Authentication Server (grants TGT)
TGS : Ticket-Granting Server (grants ST)
SS : Service Server
principal : identifier of a secret
keytab : holds cryptographic material on SS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Cross-realm authentication
0 A secret is echanged between the two KDC
1 The client gets a TGT to the server KDC from it’s own KDC
2 The client gets a ST from the server KDC, using this TGT
3 The client authenticates to the server using this ST
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Prerequisites, best practices
All clocks must be in sync
forward and reverse DNS have to be consistent, and have tomatch the server’s hostname
no NAT
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Plan
1 The Kerberos Protocol
2 Kerberos implementationsMIT Kerberos 5Active Directory
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
Plan
1 The Kerberos Protocol
2 Kerberos implementationsMIT Kerberos 5Active Directory
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
Overview
Reference Kerberos implementation since the 1980s
Support domain trust, master-slave delayed replication
Can use LDAP backend
MIT KDC can be trusted by a Windows domain
MIT client can login to a Windows domain
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
MIT server
krb5kdc
KDC, distributes tickets and TGTcan be replicated
kadmind
server for admin operationalso password changesonly one
kadmin.local
local kerberos administration
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
MIT client
kadmin : remote kerberos administration
kinit/kdestroy : get TGT / destroy all tickets
kpasswd : change password
klist : list current tickets
ktutil : keytab operations
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
MIT client config
[ l i b d e f a u l t s ]d e f a u l t r e a lm = FORMATION.TLD
[ r ea lms ]FORMATION.TLD = {
kdc = 192 . 1 6 8 . 0 . 2adm i n s e r v e r = 192 . 1 6 8 . 0 . 2
}
[ domain rea lm ]. mylan = FORMATION.TLD
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Active Directory
Plan
1 The Kerberos Protocol
2 Kerberos implementationsMIT Kerberos 5Active Directory
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Active Directory
Overview
Active Directory uses Kerberos for SSO
EEE at first, got better since
Kerberos is tightly integrated into AD
Workstations usually login to AD
Can export keytab for third-party applications
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Active Directory
Built-in
Every AD domain has a KDC and a principal database
Users get a TGT when they log in
Kerberos is preferred over NTLM for SSO in the domaine
However, when Kerberos fails, NTLM is used as a fallback
Samba in ADS security configuration can use AD Kerberos
Apache with mod auth kerb can use AD Kerberos
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Active Directory
Creating principals
Creating a user autimatically creates a new login@domainprincipal
To create a service principal, you must create a dummyaccount
Samba works around this using the machine account it’s likedto
use ktpass to assign a principal to a user and generate akeytab for MIT
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Plan
1 The Kerberos Protocol
2 Kerberos implementations
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
HTTP-Negotiate
SPNEGO/GSSAPI/Kerberos
Supported in major browsers
Server sends 401 : WWW-Authenticate: Negotiate
Client sends its service ticket along with the request
Every request has to be sent twice
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Guidelines
The application needs to be modified
You should only configure kerberos auth on the login from
Alternatively : setup CAS+Kerberos
Kerberos is only auth : you need something else to find infoabout the user (LDAP, internal db...)
If you integrate with AD : you will need a server keytab
PHP : Apache mod auth kerb
Tomcat/JBoss : JAAS
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Apache mod auth kerb
apache must be allowed to read the keytab
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP/something@REALM : Only use this ifyou must
Krb5Keytab /etc/apache2/keytab : better use a separatekeytab
KrbSaveCredentials on : if the client allows delegation, itscredentials are tranferred to the web server, you can then usethe TGT stored in the $KRB5CCNAME file, this file is destroyedat the end of the request.
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Plan
1 The Kerberos Protocol
2 Kerberos implementations
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/25
The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Goals
1 Setup a MIT Kerberos KDC
2 Use GSSAPI auth on a ssh server
3 Setup a kerberized web server
4 Change the web server to authenticate against an ActiveDirecory server
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/25