kerberos : the network authentification protocol

Kerberos

The Network Authentication Protocol

1

La 1ère école 100 % dédiée à l'open source

Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique.

Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement.

Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.

2

Les formations du plein emploi !

Formation Continue

Open Source School "Executive Education" est un organisme de formation agréé qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique.

Pour vos demandes : [email protected]

Formation Initiale

100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI.Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.

mailto:[email protected]

3

Nos domaines de formations

The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab

Plan

1 The Kerberos Protocol

2 Kerberos implementations

3 Kerberos for web applications

4 Lab

www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/25


Network Authentication

Today, most authentication protocols consist in :

client sends login (in clear)

client sends password (in clear)

server checks login/password against its database

Problems :

cleartext (enclosing the whole session in TLS mitigates this)

you need to authenticate every time you use a service

every server needs an up-to-date copy of the passworddatabase



Enter Kerberos

Kerberos is :

an authentication mechanismNOT a directoryNOT an authorization mechanismcentralized : only one password database, servers no longerstore passwordssecurity-focused : it can run safely over insecure networks(eavesdropping, replay...)SSO : you only use you password once



The big picture



Kerberos and the DNS

Kerberos relies on DNS to find servers and principals

Which realm a particular host belongs to :

kerberos.part.of.fqdn TXT "KERBEROS.TLD"

What servers to contact for this realm

kerberos. udp.realm SRV 0 0 88 krbsrv

kerberos-master. udp.realm SRV 0 0 88 krbsrv

kerberos-adm. tcp.realm SRV 0 0 749 krbsrv

kpasswd. udp.realm SRV 0 0 464 krbsrv

Kerberos uses reverse DNS to find the principal attached to a host



Vocabulary

Ticket : cryptographic material exchanged by parties

TGT : Ticket-Granting Ticket

ST : Service Ticket

KDC : Key Distribution Server

AS : Authentication Server (grants TGT)

TGS : Ticket-Granting Server (grants ST)

SS : Service Server

principal : identifier of a secret

keytab : holds cryptographic material on SS



Cross-realm authentication

0 A secret is echanged between the two KDC

1 The client gets a TGT to the server KDC from it’s own KDC

2 The client gets a ST from the server KDC, using this TGT

3 The client authenticates to the server using this ST



Prerequisites, best practices

All clocks must be in sync

forward and reverse DNS have to be consistent, and have tomatch the server’s hostname

no NAT



Plan


2 Kerberos implementationsMIT Kerberos 5Active Directory


4 Lab



MIT Kerberos 5

Plan




4 Lab



MIT Kerberos 5

Overview

Reference Kerberos implementation since the 1980s

Support domain trust, master-slave delayed replication

Can use LDAP backend

MIT KDC can be trusted by a Windows domain

MIT client can login to a Windows domain



MIT Kerberos 5

MIT server

krb5kdc

KDC, distributes tickets and TGTcan be replicated

kadmind

server for admin operationalso password changesonly one

kadmin.local

local kerberos administration



MIT Kerberos 5

MIT client

kadmin : remote kerberos administration

kinit/kdestroy : get TGT / destroy all tickets

kpasswd : change password

klist : list current tickets

ktutil : keytab operations



MIT Kerberos 5

MIT client config

[ l i b d e f a u l t s ]d e f a u l t r e a lm = FORMATION.TLD

[ r ea lms ]FORMATION.TLD = {

kdc = 192 . 1 6 8 . 0 . 2adm i n s e r v e r = 192 . 1 6 8 . 0 . 2

}

[ domain rea lm ]. mylan = FORMATION.TLD



Active Directory

Plan




4 Lab



Active Directory

Overview

Active Directory uses Kerberos for SSO

EEE at first, got better since

Kerberos is tightly integrated into AD

Workstations usually login to AD

Can export keytab for third-party applications



Active Directory

Built-in

Every AD domain has a KDC and a principal database

Users get a TGT when they log in

Kerberos is preferred over NTLM for SSO in the domaine

However, when Kerberos fails, NTLM is used as a fallback

Samba in ADS security configuration can use AD Kerberos

Apache with mod auth kerb can use AD Kerberos



Active Directory

Creating principals

Creating a user autimatically creates a new login@domainprincipal

To create a service principal, you must create a dummyaccount

Samba works around this using the machine account it’s likedto

use ktpass to assign a principal to a user and generate akeytab for MIT



Plan




4 Lab



HTTP-Negotiate

SPNEGO/GSSAPI/Kerberos

Supported in major browsers

Server sends 401 : WWW-Authenticate: Negotiate

Client sends its service ticket along with the request

Every request has to be sent twice



Guidelines

The application needs to be modified

You should only configure kerberos auth on the login from

Alternatively : setup CAS+Kerberos

Kerberos is only auth : you need something else to find infoabout the user (LDAP, internal db...)

If you integrate with AD : you will need a server keytab

PHP : Apache mod auth kerb

Tomcat/JBoss : JAAS



Apache mod auth kerb

apache must be allowed to read the keytab

AuthType Kerberos

KrbMethodNegotiate on

KrbMethodK5Passwd on

KrbServiceName HTTP/something@REALM : Only use this ifyou must

Krb5Keytab /etc/apache2/keytab : better use a separatekeytab

KrbSaveCredentials on : if the client allows delegation, itscredentials are tranferred to the web server, you can then usethe TGT stored in the $KRB5CCNAME file, this file is destroyedat the end of the request.



Plan




4 Lab



Goals

1 Setup a MIT Kerberos KDC

2 Use GSSAPI auth on a ssh server

3 Setup a kerberized web server

4 Change the web server to authenticate against an ActiveDirecory server


kerberos : the network authentification protocol

Technology