Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication...

Copyright © 2002 Legato Systems, Inc.

AuthenticationVersion 1

Katrina Illari

d1614

AuthenticationVersion 1

Katrina Illari

d1614

03 June 2005Legato Confidential

Legato Systems, Inc - Confidential and Proprietary 2

Introduction

Prerequisites for attending this TOI session

Overview and Benefits of the new feature

Installation considerations

How to configure/enable the feature

Using the feature

Licensing considerations

Architecture and internal Design

Debugging techniques and tips

Questions and Answers


Prerequisites

Audience should understand basic NetWorker administration, including the use of resources to configure and monitor NetWorker’s operation.


Overview and Benefits

What problems are being solved• The current authentication scheme used

by NetWorker is rather weak. How its being solved

• This feature introduces authentication through SSL and a trusted authentication daemon.


Overview and Benefits (cont.)

The feature adds a new authentication method called GSS Legato v1.

The authentication flavor for this new method is called RPCSEC_GSS. RPCSEC_GSS is a standard which describes how to use a GSS-APIs library with RPC (GSS-API is another standard).

We implemented a GSS-APIs library that talks to a trusted daemon (nsrexecd) to get credentials.



Backwards compatibility or security?• In order for NetWorker to be secure, the older

authentication methods should be disabled• In order for NetWorker to be backwards

compatible with other versions of NetWorker, the older authentication methods should still be allowed.

Answer: Let the user decide which one they want.

• The user can select which authentication methods are allowed on a per-network/per-host basis.



Other changes to consider:• Nsrexecd is now multithreaded and

there is only one nsrexecd process running at a time (on Unix and Windows).

• The nsrla.res file is replaced by the nsrladb directory structure. This directory is of similar structure as the nsrdb directory structure.



System requirements to use feature:• In order to use the new authentication

mechanism, the NetWorker client, NetWorker server, and NetWorker storage node that the client uses must be using NetWorker 7.3 or later.

Where to learn more• Doc repository, d1614


Installation Considerations

Changes to installation• No visible changes to installation

prompts.

• New binaries installed: None.

• Special processing that will occur during installation : None.


Configuring the Feature

There are a number of new resources and attributes in nsrexecd’s rap database (nsrladb).

There are some new attributes in the “NSRLA” resource.

There is a new resource called “NSR peer information”.

There is a new key word for all administrator lists, the remote access list and the users attribute in the NSR usergroup resource.


Configuring the Feature (cont.) NSRLA: “auth methods” attribute:

• Used to specify which authentication methods should be used to communicate with a peer.

• For NetWorker clients, servers, and storage nodes.• The attribute is multiple valued and each value must

have the following format: “IP/mask,auth1/auth2/…” auth1 and auth2 are the allowed auth methods. Allowed values for auth1 and auth2 are nsrauth and oldauth. Mask is not required.

• Example: “137.69.168.22,nsrauth”• Example: “137.69.168.0/24,nsrauth”• Example: “137.69.0.0/255.255.0.0,nsrauth/oldauth”

• Important: The attribute is order dependent! The first match that is found in the list is the one that is used.


Configuring the Feature (cont.)

NSRLA: name, NetWorker Instance ID, certificate, private key.

• The name and NetWorker Instance ID attributes are used to identify a machine.

• The certificate and private key are used to authenticate a machine.

• Important: If this information is lost, then the machine will not be able to authenticate to other machines using the GSS Legato v1 authentication method!

• If you do loose the information, then things can still be fixed so that the GSS Legato v1 authentication will work again. The steps to fix the issue are rather tedious though…



NSRLA: NW instance info operations, NW instance info file

• These values are used to change the identification and authentication information (name, private key, etc.)

• There are three values that you can set “NW instance info operations” to: “export”, “import”, and “new keys”.

• Export: export all attributes required for identification and authentication. The file name where the attributes will be exported is expected in the NW instance info file attribute.

• Import: import all attributes required for identification and authentication. The file name where the attributes will be read from is expected in the NW instance info file attribute.

• New Keys: Use this value to reset the private key and certificate. The name and NetWorker Instance ID attributes will not be reset.



NSR peer information resource• This resource is generated and updated by the system.• It is used to store the peer’s certificate and identification

information.• The resource is in nsrexecd’s RAP database• The resource is used on NetWorker clients, servers and

storage nodes.• The resource attributes are: name, NetWorker Instance

ID, certificate, Change certificate, certificate file to load.• Change certificate: used to load/clear a certificate for a

particular client manually. • To manually load a certificate, set the “Change

certificate” attribute to “Load certificate from file” and then set the attribute: “Certificate file to load” to the file name which contains the certificate in PEM format.

• To clear a certificate, either delete the whole resource for the peer or change the “Change certificate” attribute to “Clear certificate”


Configuring the Feature (cont.) new keyword for all administrator lists, the remote

access list and the users attribute in the NSR usergroup resource:

• Currently for these attributes, one can specify a user by entering a series of comma separated name=value criteria that the user has to match:

user=username,host=hostname• Current keywords are: user, host, domain, group, isroot,

domaintype, domainsid, usersid, and domainpdc.• The value of the host keyword can only be authenticated using

DNS lookups of your incoming IP address.• A new keyword was added called: nwinstname or

nwinstancename. This value can be authenticated using the SSL certificates (so it is more secure to use this key word than using the host keyword).

• The value of this keyword should be set to the “name” value in the NSRLA resource that the user is logging in from.


Using the Feature: changes

After configuring the feature, few steps are needed to use the feature.

Important: If the NSRLA resource gets deleted (by deleting the /nsr/res/nsrladb directory or Windows equivalent), then GSS Legato authentication will fail to function correctly.

The next slide will concentrate on how to recover from deleting the NSRLA resource.


Using the Feature : changes (cont.)

What to do if you deleted your NSRLA resource?

• If you know before hand that you need to delete this resource, then first export it using the “NW instance info operations” attribute. Then re-import the information afterwards.

• I would recommend that this export operation be performed as soon as NetWorker is installed/upgraded and then the resulting export file should be treated with the care that the user gives to their ssh key.



What if NSRLA was deleted and the authentication/identification information was not saved?

• Then you have to go to all of the machines that your machine communicated with and either delete the NSR peer information resource for your machine, or clear the certificate for your machine.

• This operation can be done using nsradmin or NMC

• The user doing it must be in the administrator’s list for the NSR peer information resource.



If NSRLA gets deleted and the previous instructions were not followed, what would happen?

• GSS Legato v1 authentication will not be used.• If the remote machines do not allow the older authentication

methods, then authentication with those machines will fail.• You will see the following error message in the remote

machine’s daemon.log file: ‘07/11/05 18:26:34 nsrexecd: SYSTEM error: There is already a machine using the name: "nightshade". Either choose a different name for your machine, or delete the "NSR peer information" entry for "nightshade“ on host: "shadow" (severity 5, number 13)’

• In my example error message, I deleted the NSRLA resource on machine: nightshade and then tried to communicate with machine: shadow. The error message appeared in shadow’s daemon.log file.


Licensing Considerations

No changes in licensing model.



Any questions that have not been answered yet?


Architecture and Internal Design (cont.)

How does the TCP client and daemon decide which authentication method will be used?

The client binary first checks which authentication methods it should use to contact a particular host.

• This information is retrieved at program startup (for all hosts) from nsrexecd.

It will then try each authentication method in order of most secure to least secure until it finds one that works, or it runs out of methods that it should try.



Daemons also look up the authentication methods that they are allowed to use when communicating with different machines at startup.

When a daemon receives an incoming connection it checks which authentication method the client is using.

• If it is using an allowed authentication method (for that host), then it will allow the RPC to be processed.

• If it is using an authentication method that is not allowed, then the daemon will return an RPC error without ever looking at the RPC contents.



GSS Legato v1 design overview:• Users are authenticated using the file

system.

• Machines are authenticated using SSL and self signed certificates.



GSS Legato v1 design details:• When a client binary needs to get

authenticated, it gathers information about the user running it and the groups that user belongs to using operating system calls.

• It sends this information to the local nsrexecd along with information about who it wants to contact (hostname, program number, and version number).

• The local nsrexecd verifies that the user belongs to all of the groups that they claim to belong to.



GSS Legato v1 design details (cont.):• if the user wants to communicate with a remote

daemon:• Nsrexecd opens a connection with the nsrexecd on the

machine where the daemon is.

• Both nsrexecds send their NetWorker instance Ids

• Then each nsrexecd looks to see if it already has a certificate for the remote nsrexecd.

– If it does then that certificate is used to authenticate the connection

– If it does not, then the nsrexecd requests that the peer send the certificate.



GSS Legato v1 design details (cont.):• if the user wants to communicate with a remote

daemon (cont.):• Once the certificate negotiations are done, the

nsrexecds will change the channel to an SSL channel using the certificates to authenticate the connection.

• The local nsrexecd will send the user identification information and generate and send half of each session key

• The remote nsrexecd will then look up the privileges that the user has and generate the other halves of the each session key.

• The privilege information and session key halves that the remote nsrexecd generated are sent back to the local nsrexecd.



GSS Legato v1 design details (cont.):• if the user wants to communicate with a

local daemon:• The local nsrexecd just looks up the user’s privilege

information (the SSL connection is not needed). It also generates the session keys.

• After the both nsrexecds have the privilege information, user identification, and session keys, all the information to create a session is available.

• Now all that needs to be done is user authentication.



GSS Legato v1 design details (cont.):• User authentication.

• Now, all of the session information: the session keys, the session id, the user identification and privileges are stored in a file in /nsr/tmp/sec.

• This file is a temporary file which is only readable by the user that requested authentication.

• The user is required to open the file and use the session keys to authenticate to nsrexecd.

• If this is not done in one minute, then the authentication has failed and the file is removed.

• If the operation is completed before the minute is up, then authentication has succeeded (so far). The local nsrexecd tells the remote nsrexecd that the authentication succeeded.



GSS Legato v1 design details (cont.):• Then the client binary takes the session ID and

sends it to the daemon that they want to talk to.

• The daemon uses the session ID to look up the rest of the session information in the local nsrexecd.

• The session keys are used to produce an HMAC of the RPC header.

• The daemon verifies the HMACS. If the HMAC is not correct then the RPC is rejected before being processed.


Debugging Techniques and Tips

How to obtain debugging or tracking information

• Using higher debug levels like “–D 3” on processes can be very enlightening.

• Nsrexecd is particularly useful to run at higher debug levels

• Level 1 will cause more messages to be printed out for fatal errors.

• Level 3 will cause most useful messages to be printed out.

• No messages for this feature have higher debug level than 10.


Debugging Techniques and Tips (cont.) Don’t delete the NSRLA resource (by deleting

/nsr/res/nsrladb or Window equivalent).• Customers may not be expecting the consequences

of deleting this resource. When looking for error messages, be sure to check the

daemon.log file on all of the machines.• For security reasons, sometimes an error will be

printed in the NetWorker client’s daemon.log and other times it will be printed in the server’s or storage node’s daemon.log.

• Sometimes a short, non-detailed message will appear on one machine and a more detailed message will appear on the machine it is trying to communicate with.

The error messages and their meaning will be documented in the error message guide.


Debugging Techniques and Tips (cont.)

New debugging tools• dbgcommand –p <pid> Debug=<value>


Known Issues and Limitations

Known issues and/or bugs

Limitations• If your NSRLA resource gets deleted

and you do not have a backup of your authentication/identification information, then you will have to do some work to be able to talk to other NetWorker machines again.


Demonstration

Demonstrate:• Updating the auth methods attribute.

• Updating the administrator’s list to specify a user by NetWorker instance name.

• Demonstrate a save using GSS Legato v1 authentication (use debug mode to show what is going on).




Thanks for attending

Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication...

Documents

Transcript of Copyright © 2002 Legato Systems, Inc. Authentication Version 1 Katrina Illari d1614 Authentication...