Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting...
-
Upload
berenice-wells -
Category
Documents
-
view
218 -
download
1
Transcript of Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting...
![Page 1: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/1.jpg)
Using Kerberosthe fundamentals
![Page 2: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/2.jpg)
Computer/Network Security needs:
•Authentication
Who is requesting access
•Authorization
What user is allowed to do
•Auditing
What has user done
•Kerberos addresses all of these needs.
![Page 3: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/3.jpg)
The authentication problem:
![Page 4: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/4.jpg)
Authentication•Three ways to prove identity
Something you know
Something you have
Something you are
•Kerberos is ‘something you know’, but stronger.
•Fermilab computers that offer login or FTP services over the network cannot accept passwords for authentication.
Incre
asi
ng
Stre
ng
th
![Page 5: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/5.jpg)
What is Kerberos Good For?
•Verify identity of users and servers
•Encrypt communication if desired
•Centralized repository of accounts(Kerberos uses ‘realm’ to group accounts)
•Local authentication
•Enforce ‘good’ password policy
•Provide an audit trail of usage
![Page 6: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/6.jpg)
How does Kerberos Work?
(Briefly)•A password is shared between the
user and KDC
•Credentials are called tickets
•Credentials are saved in a cache
•Initial credential request is for a special ticket granting ticket (TGT)
![Page 7: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/7.jpg)
Using Kerberos•MS Windows
•Windows domain login
• 3rd party Kerberos tools
•WRQ Reflection
•MIT Kerberos for Windows (KfW) Leash32
• Exceed
•Unix, Linux and Mac OS X
![Page 8: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/8.jpg)
MS Windows
• Domain login
• Kerberos Ticket(Windows Kerbtray.exe application)
• Notice realm - FERMI.WIN.FNAL.GOV
![Page 9: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/9.jpg)
MS WindowsManaging
Credentials• MIT Kerberos for Windows (KfW)http://web.mit.edu/kerberos/
• Notice realm - FNAL.GOV
![Page 10: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/10.jpg)
MS WindowsManaging
Credentials• WRQ Kerberos
Manager
![Page 11: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/11.jpg)
MS WindowsManaging
Credentials
• OpenAFS Token
![Page 12: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/12.jpg)
UNIX, Linux, Mac OS X
•Kerberos tools:•
kinit
•
klist
•
kdestroy
•
k5push
•Clients:•
telnet, ssh, ftp
•
rlogin, rsh, rcp
![Page 13: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/13.jpg)
Things to watch for:
•Cryptocard gothas.
•SSH end-to-end?
![Page 14: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/14.jpg)
Cryptocard Gotchas
•Where is that ‘kinit’ command running?(Beware of remote connections.)
•Cryptocard doesn’t mean encryption.(Cryptocard authentication yields a Kerberos credential cache.)
![Page 15: Using Kerberos the fundamentals. Computer/Network Security needs: Authentication Who is requesting access Authorization What user is allowed to do Auditing.](https://reader036.fdocuments.us/reader036/viewer/2022062713/56649cef5503460f949bd8de/html5/thumbnails/15.jpg)
SSH considerations
•Use cryptocard authentication yields an ecrypted connection.
•Need to be aware where the endpoints of the SSH connection are. (Beware of ‘stacked’ connections.)
LocalLocalHostHost
RemotRemotee
HostHost
RemotRemotee
HostHosttelnettelnet sshssh