Using Kerberos <ul><li>the fundamentals </li></ul>
Computer/Network Security needs: <ul><li>Authentication </li></ul><ul><ul><li>Who is requesting access </li></ul></ul><ul>...
The authentication problem:
Authentication <ul><li>Three ways to prove identity </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>So...
What is Kerberos Good For? <ul><li>Verify identity of users and servers </li></ul><ul><li>Encrypt communication if desired...
How does Kerberos Work? (Briefly) <ul><li>A password is shared between the user and KDC </li></ul><ul><li>Credentials are ...
Using Kerberos <ul><li>MS Windows </li></ul><ul><ul><li>Windows domain login </li></ul></ul><ul><ul><li>3rd party Kerberos...
MS Windows <ul><li>Domain login </li></ul><ul><li>Kerberos Ticket (Windows Kerbtray.exe application) </li></ul><ul><li>Not...
MS Windows Managing Credentials <ul><li>MIT Kerberos for Windows (KfW) http://web.mit.edu/kerberos/ </li></ul><ul><li>Noti...
MS Windows Managing Credentials <ul><li>WRQ Kerberos Manager </li></ul>
MS Windows Managing Credentials <ul><li>OpenAFS Token </li></ul>
UNIX, Linux, Mac OS X <ul><li>Kerberos tools: </li></ul><ul><ul><li>kinit </li></ul></ul><ul><ul><li>klist </li></ul></ul>...
Things to watch for: <ul><li>Cryptocard gothas. </li></ul><ul><li>SSH end-to-end? </li></ul>
Cryptocard Gotchas <ul><li>Where is that ‘kinit’ command running? (Beware of remote connections.) </li></ul><ul><li>Crypto...
SSH considerations <ul><li>Use cryptocard authentication yields an ecrypted connection. </li></ul><ul><li>Need to be aware...
Upcoming SlideShare
Loading in …5
×

Using Kerberos

1,130
-1

Published on

Using Kerberos

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
1,130
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
60
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Sometimes, you don’t have Kerberos-aware tools or clients. Then you use your Cryptocard.
  • There may be non-encrypted segments of a ‘stacked’ connection.
  • Using Kerberos

    1. 1. Using Kerberos <ul><li>the fundamentals </li></ul>
    2. 2. Computer/Network Security needs: <ul><li>Authentication </li></ul><ul><ul><li>Who is requesting access </li></ul></ul><ul><li>Authorization </li></ul><ul><ul><li>What user is allowed to do </li></ul></ul><ul><li>Auditing </li></ul><ul><ul><li>What has user done </li></ul></ul><ul><li>Kerberos addresses all of these needs. </li></ul>
    3. 3. The authentication problem:
    4. 4. Authentication <ul><li>Three ways to prove identity </li></ul><ul><ul><li>Something you know </li></ul></ul><ul><ul><li>Something you have </li></ul></ul><ul><ul><li>Something you are </li></ul></ul><ul><li>Kerberos is ‘something you know’, but stronger. </li></ul><ul><li>Fermilab computers that offer login or FTP services over the network cannot accept passwords for authentication. </li></ul>Increasing Strength
    5. 5. What is Kerberos Good For? <ul><li>Verify identity of users and servers </li></ul><ul><li>Encrypt communication if desired </li></ul><ul><li>Centralized repository of accounts (Kerberos uses ‘realm’ to group accounts) </li></ul><ul><li>Local authentication </li></ul><ul><li>Enforce ‘good’ password policy </li></ul><ul><li>Provide an audit trail of usage </li></ul>
    6. 6. How does Kerberos Work? (Briefly) <ul><li>A password is shared between the user and KDC </li></ul><ul><li>Credentials are called tickets </li></ul><ul><li>Credentials are saved in a cache </li></ul><ul><li>Initial credential request is for a special ticket granting ticket (TGT) </li></ul>
    7. 7. Using Kerberos <ul><li>MS Windows </li></ul><ul><ul><li>Windows domain login </li></ul></ul><ul><ul><li>3rd party Kerberos tools </li></ul></ul><ul><ul><ul><li>WRQ Reflection </li></ul></ul></ul><ul><ul><ul><li>MIT Kerberos for Windows (KfW) Leash32 </li></ul></ul></ul><ul><ul><ul><li>Exceed </li></ul></ul></ul><ul><li>Unix, Linux and Mac OS X </li></ul>
    8. 8. MS Windows <ul><li>Domain login </li></ul><ul><li>Kerberos Ticket (Windows Kerbtray.exe application) </li></ul><ul><li>Notice realm - FERMI.WIN.FNAL.GOV </li></ul>
    9. 9. MS Windows Managing Credentials <ul><li>MIT Kerberos for Windows (KfW) http://web.mit.edu/kerberos/ </li></ul><ul><li>Notice realm - FNAL.GOV </li></ul>
    10. 10. MS Windows Managing Credentials <ul><li>WRQ Kerberos Manager </li></ul>
    11. 11. MS Windows Managing Credentials <ul><li>OpenAFS Token </li></ul>
    12. 12. UNIX, Linux, Mac OS X <ul><li>Kerberos tools: </li></ul><ul><ul><li>kinit </li></ul></ul><ul><ul><li>klist </li></ul></ul><ul><ul><li>kdestroy </li></ul></ul><ul><ul><li>k5push </li></ul></ul><ul><li>Clients: </li></ul><ul><ul><li>telnet, ssh, ftp </li></ul></ul><ul><ul><li>rlogin, rsh, rcp </li></ul></ul>
    13. 13. Things to watch for: <ul><li>Cryptocard gothas. </li></ul><ul><li>SSH end-to-end? </li></ul>
    14. 14. Cryptocard Gotchas <ul><li>Where is that ‘kinit’ command running? (Beware of remote connections.) </li></ul><ul><li>Cryptocard doesn’t mean encryption. (Cryptocard authentication yields a Kerberos credential cache.) </li></ul>
    15. 15. SSH considerations <ul><li>Use cryptocard authentication yields an ecrypted connection. </li></ul><ul><li>Need to be aware where the endpoints of the SSH connection are. (Beware of ‘stacked’ connections.) </li></ul>Local Host Remote Host Remote Host telnet ssh
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×