Your SlideShare is downloading. ×
Using Kerberos
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Using Kerberos

981
views

Published on

Using Kerberos

Using Kerberos


0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
981
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
47
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Sometimes, you don’t have Kerberos-aware tools or clients. Then you use your Cryptocard.
  • There may be non-encrypted segments of a ‘stacked’ connection.
  • Transcript

    • 1. Using Kerberos
      • the fundamentals
    • 2. Computer/Network Security needs:
      • Authentication
        • Who is requesting access
      • Authorization
        • What user is allowed to do
      • Auditing
        • What has user done
      • Kerberos addresses all of these needs.
    • 3. The authentication problem:
    • 4. Authentication
      • Three ways to prove identity
        • Something you know
        • Something you have
        • Something you are
      • Kerberos is ‘something you know’, but stronger.
      • Fermilab computers that offer login or FTP services over the network cannot accept passwords for authentication.
      Increasing Strength
    • 5. What is Kerberos Good For?
      • Verify identity of users and servers
      • Encrypt communication if desired
      • Centralized repository of accounts (Kerberos uses ‘realm’ to group accounts)
      • Local authentication
      • Enforce ‘good’ password policy
      • Provide an audit trail of usage
    • 6. How does Kerberos Work? (Briefly)
      • A password is shared between the user and KDC
      • Credentials are called tickets
      • Credentials are saved in a cache
      • Initial credential request is for a special ticket granting ticket (TGT)
    • 7. Using Kerberos
      • MS Windows
        • Windows domain login
        • 3rd party Kerberos tools
          • WRQ Reflection
          • MIT Kerberos for Windows (KfW) Leash32
          • Exceed
      • Unix, Linux and Mac OS X
    • 8. MS Windows
      • Domain login
      • Kerberos Ticket (Windows Kerbtray.exe application)
      • Notice realm - FERMI.WIN.FNAL.GOV
    • 9. MS Windows Managing Credentials
      • MIT Kerberos for Windows (KfW) http://web.mit.edu/kerberos/
      • Notice realm - FNAL.GOV
    • 10. MS Windows Managing Credentials
      • WRQ Kerberos Manager
    • 11. MS Windows Managing Credentials
      • OpenAFS Token
    • 12. UNIX, Linux, Mac OS X
      • Kerberos tools:
        • kinit
        • klist
        • kdestroy
        • k5push
      • Clients:
        • telnet, ssh, ftp
        • rlogin, rsh, rcp
    • 13. Things to watch for:
      • Cryptocard gothas.
      • SSH end-to-end?
    • 14. Cryptocard Gotchas
      • Where is that ‘kinit’ command running? (Beware of remote connections.)
      • Cryptocard doesn’t mean encryption. (Cryptocard authentication yields a Kerberos credential cache.)
    • 15. SSH considerations
      • Use cryptocard authentication yields an ecrypted connection.
      • Need to be aware where the endpoints of the SSH connection are. (Beware of ‘stacked’ connections.)
      Local Host Remote Host Remote Host telnet ssh