Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

SSO with kerberos


Published on

Published in: Technology
  • Be the first to comment

SSO with kerberos

  1. 1. Single Sign-on with Kerberos <ul><ul><li>Chris Eberle </li></ul></ul><ul><ul><li>Ryan Thomas </li></ul></ul><ul><ul><li>RC Johnson </li></ul></ul><ul><ul><li>Kim-Lan Tran </li></ul></ul><ul><ul><li>CS-591 Fall 2008 </li></ul></ul>
  2. 2. Introduction: Services <ul><li>Example of network services </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Shell Accounts </li></ul></ul><ul><ul><li>Websites </li></ul></ul><ul><li>Each traditionally responsible for authenticating users </li></ul><ul><ul><li>Duplicate user information </li></ul></ul><ul><li>LDAP solves duplication problem by acting as directory service </li></ul><ul><ul><li>User must still authenticate each time service is accessed </li></ul></ul>
  3. 3. Single Sign-on <ul><li>Motivation </li></ul><ul><ul><li>Gets rid of constant password prompts </li></ul></ul><ul><ul><li>System administrator manages one group of users instead of several groups for different services </li></ul></ul><ul><ul><li>User only has one password to remember </li></ul></ul><ul><li>Technique used to validate user's identity only once and give secure access to all network services </li></ul>
  4. 4. Project Outline <ul><li>Setup Kerberos </li></ul><ul><ul><li>Popular mechanism used to achieve single sign-on </li></ul></ul><ul><li>Setup 3 virtual machines on a network </li></ul><ul><li>Setup various network services </li></ul><ul><ul><li>SSH </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>NFS </li></ul></ul><ul><ul><li>Mail </li></ul></ul>
  5. 5. LDAP Overview <ul><li>Lightweight Directory Access Protocol </li></ul><ul><li>Stores information about users, groups, DNS, or any database utilizing service </li></ul><ul><li>Can add, modify, and query for information </li></ul>
  6. 6. LDAP Choice <ul><li>Chose OpenLDAP </li></ul><ul><ul><li>Created in 1998 </li></ul></ul><ul><ul><li>Loosely based on LDAP server at University of Michigan </li></ul></ul><ul><ul><li>Uses insecure communication mechanism </li></ul></ul><ul><ul><li>“ One of the team members may have killed himself if we used a proprietary implementation” </li></ul></ul><ul><li>Other LDAP choices </li></ul><ul><ul><li>Active Directory by Microsoft </li></ul></ul><ul><ul><li>Open Directory by Novell </li></ul></ul><ul><ul><li>Red Hat Directory Server by Red Hat </li></ul></ul>
  7. 7. SSL Overview <ul><li>Secure Socket Layer </li></ul><ul><li>Protocol used to ensure that data transferred over networks are encrypted </li></ul><ul><ul><li>Prevents tampering and eavesdropping </li></ul></ul><ul><li>Use OpenSSL </li></ul><ul><ul><li>Implements SSL and newer protocol TLS (Transport Layer Security)‏ </li></ul></ul>
  8. 8. Kerberos Overview <ul><li>Way to securely prove one's identity over network </li></ul><ul><li>Open source application developed by MIT </li></ul><ul><li>Made up of two parts </li></ul><ul><ul><li>Authentication server </li></ul></ul><ul><ul><li>Ticket granting server </li></ul></ul><ul><li>Ticket is granted after user authenticated </li></ul><ul><ul><li>Use symmetric key cryptography </li></ul></ul><ul><ul><li>Expires after period of time </li></ul></ul><ul><li>User presents ticket to service </li></ul><ul><ul><li>Service authenticates user without prompting for password </li></ul></ul>
  9. 9. Kerberos Diagram
  10. 10. Project Design <ul><li>3 Virtual Machines named Kenny, Cartman, and Stan </li></ul><ul><li>Cartman (Debian Lenny)‏ </li></ul><ul><ul><li>Central server </li></ul></ul><ul><ul><li>LDAP, Kerberos, NTPserver </li></ul></ul><ul><li>Stan (Debian Lenny)‏ </li></ul><ul><ul><li>Secondary server </li></ul></ul><ul><ul><li>Mail, NFS, FTP </li></ul></ul><ul><li>Kenny (Ubuntu 8.04)‏ </li></ul><ul><ul><li>Client </li></ul></ul><ul><li>All three run SSH servers </li></ul><ul><li>Kenny and Cartman mount Stan's NFS share </li></ul><ul><li>Does not accept RSA or DSA keys in SSH </li></ul><ul><li>Mail client on Kenny does not store passwords </li></ul>
  11. 11. LDAP Setup <ul><li>Serves as base for user information </li></ul><ul><li>Used BDB database for backend </li></ul><ul><li>Challenge to find different configuration files on Debian and Ubuntu </li></ul><ul><li>Tell name services to use LDAP </li></ul><ul><li>Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP </li></ul><ul><li>Removed all local accounts from machines </li></ul>
  12. 12. SSL Setup <ul><li>Generate certificates </li></ul><ul><li>Problems with pointing to correct certificates </li></ul><ul><ul><li>Needed to fix configuration files </li></ul></ul><ul><li>Problems with nomenclature </li></ul><ul><ul><li>References to ldaps or StartTLS protocols </li></ul></ul><ul><li>Changed configuration from ldaps to ldap and enabled StartTLS </li></ul>
  13. 13. Kerberos Setup <ul><li>Create and initialize realm </li></ul><ul><li>Create principles for all hosts, users, and services </li></ul><ul><li>Change PAM from using LDAP to Kerberos </li></ul><ul><li>LDAP still needed for other reasons </li></ul><ul><li>Install Kerberos keys into the key stores of all clients </li></ul><ul><li>All machines must have the correct date and time </li></ul><ul><ul><li>Validate session for ticket </li></ul></ul>Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU
  14. 14. Kerberos (contd)‏ <ul><li>User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. </li></ul><ul><li>Users must recreate their password, so migrating from LDAP on a large network may not be feasible. </li></ul>
  15. 15. SSH Setup <ul><li>Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials </li></ul><ul><li>GSSAPIAuthentication yes </li></ul><ul><li>GSSAPICleanupCredentials yes </li></ul><ul><li>GssapiKeyExchange yes </li></ul><ul><li>AllowTcpForwarding yes </li></ul><ul><li>Modify the SSH Client configuration to send GSSAPI credentials when connecting </li></ul><ul><li>GSSAPIAuthentication yes </li></ul><ul><li>GSSAPIDelegateCredentials yes </li></ul><ul><li>Users only need to log in once to SSH anywhere, or use any other Kerberos services. </li></ul>
  16. 16. FTP Setup <ul><li>Setup FTP on Stan </li></ul><ul><li>Needed package “krb5-ftpd” </li></ul><ul><ul><li>“ Kerberized” version of FTP </li></ul></ul><ul><li>Problem in not realizing that server daemon, inetd, wasn't installed </li></ul><ul><ul><li>Manages services by mapping them to a specific ports and launches correct services </li></ul></ul><ul><li>Used “krb-ftp” command on Kenny to test FTP </li></ul><ul><ul><li>Came with the”krb-client” package </li></ul></ul>
  17. 17. NFS Setup <ul><li>NFSv4 </li></ul><ul><li>Setup Server </li></ul><ul><ul><li>Added principles to Kerberos </li></ul></ul><ul><ul><li>Modified exports file </li></ul></ul><ul><ul><li>Ensure RPC services were starting correctly (idmap)‏ </li></ul></ul><ul><li>Setup Client </li></ul><ul><ul><li>RPC services (idmap)‏ </li></ul></ul><ul><ul><li>Import Kerberos Keys </li></ul></ul><ul><ul><li>Recreated key files on all machines </li></ul></ul><ul><ul><li>Verified permissions and mount points </li></ul></ul><ul><ul><li>Setup to automatically mount home directories </li></ul></ul>
  18. 18. IMAP Server <ul><li>Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. </li></ul><ul><li>Kerberos used for authentication, regular password authentication disabled </li></ul><ul><li>LDAP used for user information (e.g. path to their mail directories)‏ </li></ul><ul><li>Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)‏ </li></ul>
  19. 19. IMAP Client <ul><li>Used thunderbird on Kenny as IMAP client </li></ul><ul><li>Must tell thunderbird to use Kerberos </li></ul><ul><ul><li>Option is “Use secure authentication” (different than SSL/TSL)‏ </li></ul></ul><ul><li>Client can receive email after logging in to the desktop without being asked for a password. </li></ul><ul><li>Bonus: Thunderbird doesn’t have to store your email password anywhere, so it’s more secure. </li></ul>
  20. 20. Future Directions <ul><li>Add firewall security </li></ul><ul><li>Add more services such as Apache </li></ul><ul><li>Add multiple platforms </li></ul><ul><li>Add security to SMTP </li></ul>
  21. 21. References <ul><li>Debian (‏ </li></ul><ul><li>Ubuntu (‏ </li></ul><ul><li> </li></ul><ul><li>Chris </li></ul>