Kerberos and Single Sign-On With HTTP -...
Transcript of Kerberos and Single Sign-On With HTTP -...
![Page 1: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/1.jpg)
Kerberos and Single SignOn with HTTP
Joe OrtonRed Hat
![Page 2: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/2.jpg)
Overview
• Introduction• The Problem• Current Solutions• Future Solutions• Conclusion
![Page 3: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/3.jpg)
Introduction
• WebDAV: common complaint of poor support for authentication in HTTP
• Kerberos is “the” network authentication protocol
![Page 4: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/4.jpg)
The Problem
• How to integrate HTTP servers into a Kerberos infrastructure?
• Single SignOn: reducing the number of times people enter passwords
• Ideal: user authentication happens exactly once per “session”
![Page 5: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/5.jpg)
Session Scope
• Never have to authenticate to any individual server
• Never have to authenticate to use any particular service (protocol)
![Page 6: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/6.jpg)
Problem Scope
• Covering intranet/enterprise/organisationwide HTTP authentication
• Out of scope: SSO for “The Web”• In scope? Proxy authentication
![Page 7: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/7.jpg)
OneSlideGuide to Kerberos• Shared secret keys, a trusted thirdparty
(KDC), and symmetric key encryption• KDC authenticates user, gives out “TGT”• Using TGT, client obtains “ticket” from
KDC encrypted with service's secret key• Client can prove user identity to a service
![Page 8: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/8.jpg)
Why is this so difficult?
• Traditional Internet protocols (e.g. SMTP, IMAP, ...) all support Kerberos authentication
• Why is HTTP different?
![Page 9: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/9.jpg)
• Strong authentication is not much use without message integrity, and probably also confidentiality
• Integrity/confidentiality = transport layer• HTTP authentication is independent of the
transport layer; unlike SMTP, POP3, ...
Authentication and Security
![Page 10: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/10.jpg)
Current Solutions
• Stanford WebAuth: forms and cookies• HTTP “Basic” authentication• HTTP “Negotiate” authentication
![Page 11: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/11.jpg)
Stanford WebAuth
• Based on forms+cookie• Tokenpassing via browser redirects
between web server and “WebKDC”• Kerberos credentials passed to WebKDC
via HTML form• WebKDC authenticates as user to KDC
![Page 12: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/12.jpg)
WebAuth protocol
User Agent
User Agent
Web Server
GET /private
302 RedirectLocation: http://webkdc.example.com/...
![Page 13: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/13.jpg)
WebAuth protocol 2
User Agent
User Agent
WebKDC
GET /authenticateme
200 OK + HTML form
![Page 14: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/14.jpg)
WebAuth protocol 3
User Agent
User Agent
WebKDC
POST /authenticateme
302 RedirectLocation: http://origin.example.com/privateSetCookie: blah
WebKDC KDC
![Page 15: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/15.jpg)
WebAuth analysis
• “Application level” solution• Cookies + HTML != HTTP authentication• Requires a real web browser: won't work
with generic WebDAV clients• Requires SSL for submitting credentials, for
maintaining secure sessions
![Page 16: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/16.jpg)
WebAuth analysis 2
• Training users to enter Kerberos credentials into web forms is Very Bad™ - phishing
• Session scope: within one web browser but then covers all servers
• Cannot authenticate to proxies• Session termination? Flush cookies
![Page 17: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/17.jpg)
Kerberos via Basic Auth
• Use standard HTTP Basic authentication• Client sends Kerberos credentials as normal
Basic auth credentials• Web server authenticates as user directly to
KDC; custom server extension needed e.g. mod_auth_kerb
•
![Page 18: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/18.jpg)
GET /secret/ HTTP/1.1
HTTP/1.1 401 Unauthorized
WWW-Authenticate: Basic realm=”Blah”
GET /secret/ HTTP/1.1
Authorization: Basic QWxuIHNlc2FZQ==
HTTP/1.1 200 OK
Kerberos via Basic, on the wire
![Page 19: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/19.jpg)
Kerberos via Basic, analysis
• Simple to set up• Works with any HTTP client (e.g. DAV)• Requires SSL for entire session• Can authenticate to proxies, but insecurely –
cleartext only to proxy
![Page 20: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/20.jpg)
Kerberos via Basic, analysis 2
• Session scope: one web browser, one server• Training users to enter credentials into HTTP
authentication dialogs is also Very Bad™
• Session termination: flush cached credentials
![Page 21: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/21.jpg)
The “Negotiate” Scheme• New HTTP authentication scheme (kind of)• Written by Microsoft; ID published 2001• Became “Informational” RFC 4559 in 2006 • Uses GSSAPI token exchange, wraps
Kerberos protocol over the wire• Custom server, client extension
![Page 22: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/22.jpg)
Negotiate: Protocol trace1. GET /secret/ HTTP/1.1
2. HTTP/1.1 401 Unauthorized
WWW-Authenticate: Negotiate [token]
3. GET /secret/ HTTP/1.1
Authorization: Negotiate Y.....Q==
[goto 2, or...]
HTTP/1.1 200 OK
![Page 23: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/23.jpg)
Implementing Negotiate
• Supported at HTTP protocol level; works with WebDAV etc
• Implemented by Firefox, MSIE• Requires SSL to secure the connection• Could almost work with proxies
![Page 24: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/24.jpg)
Negotiate analysis
• Even the name is bad• Perconnection authentication!• Breaks RFC2617 challenge grammar• Abuses RFC2617 headers
![Page 25: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/25.jpg)
Negotiate analysis 2
• Real Single SignOn!• Session scoped to all servers, all services• Session termination dictated by systemwide
Kerberos session
![Page 26: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/26.jpg)
mod_auth_kerb
• Module for Apache httpd 1.3/2.x• Maintained by Daniel Kouril, BSDy license• Version 5.0 released August 2006, first non
beta release• Supports both Negotiate and Kerberosover
Basic authentication
![Page 27: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/27.jpg)
mod_auth_kerb Configuration
• Obtain a service key from the KDC• Name, for example:HTTP/[email protected]
• Service key in keytab – check permissions!• Load module and add access control
configuration, either httpd.conf or .htaccess
![Page 28: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/28.jpg)
Access control Configuration
<Location /private> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off ...
![Page 29: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/29.jpg)
Access control continued
KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require validuser SSLRequireSSL</Location>
![Page 30: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/30.jpg)
Client configuration
• Firefox:
• MSIE should work within “Intranet zone”
![Page 31: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/31.jpg)
Conclusion
• Strong authentication as an HTTP authentication scheme alone is not enough
• “Negotiate” is a practical if flawed solution for Kerberos Single SignOn with HTTP
• But must be used over SSL
![Page 32: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/32.jpg)
Future Solutions
• A better Negotiate• RFC2712: TLS with Kerberos ciphersuites• Implemented in OpenSSL; no deployment• A “GSSAPI Transport Layer” for HTTP?• Implement via Upgrade: header (RFC2817)
![Page 33: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/33.jpg)
Resources
• http://webauth.stanford.edu/• http://modauthkerb.sourceforge.net/• http://www.ietf.org/rfc/rfc4559.txt• http://www.ietf.org/rfc/rfc2712.txt• These slides:
http://people.apache.org/~jorton/ac06us/
![Page 34: Kerberos and Single Sign-On With HTTP - home.apache.orgpeople.apache.org/~jorton/ac06us/presentation.pdfJoe Orton Red Hat Overview • Introduction • The Problem • Current Solutions](https://reader035.fdocuments.us/reader035/viewer/2022071412/610896d005438726620532a5/html5/thumbnails/34.jpg)
Q&A
Any questions?