SSO with kerberos

3,024 views

Published on

Published in: Technology
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
3,024
On SlideShare
0
From Embeds
0
Number of Embeds
8
Actions
Shares
0
Downloads
78
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

SSO with kerberos

  1. 1. Single Sign-on with Kerberos <ul><ul><li>Chris Eberle </li></ul></ul><ul><ul><li>Ryan Thomas </li></ul></ul><ul><ul><li>RC Johnson </li></ul></ul><ul><ul><li>Kim-Lan Tran </li></ul></ul><ul><ul><li>CS-591 Fall 2008 </li></ul></ul>
  2. 2. Introduction: Services <ul><li>Example of network services </li></ul><ul><ul><li>Email </li></ul></ul><ul><ul><li>Shell Accounts </li></ul></ul><ul><ul><li>Websites </li></ul></ul><ul><li>Each traditionally responsible for authenticating users </li></ul><ul><ul><li>Duplicate user information </li></ul></ul><ul><li>LDAP solves duplication problem by acting as directory service </li></ul><ul><ul><li>User must still authenticate each time service is accessed </li></ul></ul>
  3. 3. Single Sign-on <ul><li>Motivation </li></ul><ul><ul><li>Gets rid of constant password prompts </li></ul></ul><ul><ul><li>System administrator manages one group of users instead of several groups for different services </li></ul></ul><ul><ul><li>User only has one password to remember </li></ul></ul><ul><li>Technique used to validate user's identity only once and give secure access to all network services </li></ul>
  4. 4. Project Outline <ul><li>Setup Kerberos </li></ul><ul><ul><li>Popular mechanism used to achieve single sign-on </li></ul></ul><ul><li>Setup 3 virtual machines on a network </li></ul><ul><li>Setup various network services </li></ul><ul><ul><li>SSH </li></ul></ul><ul><ul><li>FTP </li></ul></ul><ul><ul><li>NFS </li></ul></ul><ul><ul><li>Mail </li></ul></ul>
  5. 5. LDAP Overview <ul><li>Lightweight Directory Access Protocol </li></ul><ul><li>Stores information about users, groups, DNS, or any database utilizing service </li></ul><ul><li>Can add, modify, and query for information </li></ul>
  6. 6. LDAP Choice <ul><li>Chose OpenLDAP </li></ul><ul><ul><li>Created in 1998 </li></ul></ul><ul><ul><li>Loosely based on LDAP server at University of Michigan </li></ul></ul><ul><ul><li>Uses insecure communication mechanism </li></ul></ul><ul><ul><li>“ One of the team members may have killed himself if we used a proprietary implementation” </li></ul></ul><ul><li>Other LDAP choices </li></ul><ul><ul><li>Active Directory by Microsoft </li></ul></ul><ul><ul><li>Open Directory by Novell </li></ul></ul><ul><ul><li>Red Hat Directory Server by Red Hat </li></ul></ul>
  7. 7. SSL Overview <ul><li>Secure Socket Layer </li></ul><ul><li>Protocol used to ensure that data transferred over networks are encrypted </li></ul><ul><ul><li>Prevents tampering and eavesdropping </li></ul></ul><ul><li>Use OpenSSL </li></ul><ul><ul><li>Implements SSL and newer protocol TLS (Transport Layer Security)‏ </li></ul></ul>
  8. 8. Kerberos Overview <ul><li>Way to securely prove one's identity over network </li></ul><ul><li>Open source application developed by MIT </li></ul><ul><li>Made up of two parts </li></ul><ul><ul><li>Authentication server </li></ul></ul><ul><ul><li>Ticket granting server </li></ul></ul><ul><li>Ticket is granted after user authenticated </li></ul><ul><ul><li>Use symmetric key cryptography </li></ul></ul><ul><ul><li>Expires after period of time </li></ul></ul><ul><li>User presents ticket to service </li></ul><ul><ul><li>Service authenticates user without prompting for password </li></ul></ul>
  9. 9. Kerberos Diagram
  10. 10. Project Design <ul><li>3 Virtual Machines named Kenny, Cartman, and Stan </li></ul><ul><li>Cartman (Debian Lenny)‏ </li></ul><ul><ul><li>Central server </li></ul></ul><ul><ul><li>LDAP, Kerberos, NTPserver </li></ul></ul><ul><li>Stan (Debian Lenny)‏ </li></ul><ul><ul><li>Secondary server </li></ul></ul><ul><ul><li>Mail, NFS, FTP </li></ul></ul><ul><li>Kenny (Ubuntu 8.04)‏ </li></ul><ul><ul><li>Client </li></ul></ul><ul><li>All three run SSH servers </li></ul><ul><li>Kenny and Cartman mount Stan's NFS share </li></ul><ul><li>Does not accept RSA or DSA keys in SSH </li></ul><ul><li>Mail client on Kenny does not store passwords </li></ul>
  11. 11. LDAP Setup <ul><li>Serves as base for user information </li></ul><ul><li>Used BDB database for backend </li></ul><ul><li>Challenge to find different configuration files on Debian and Ubuntu </li></ul><ul><li>Tell name services to use LDAP </li></ul><ul><li>Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP </li></ul><ul><li>Removed all local accounts from machines </li></ul>
  12. 12. SSL Setup <ul><li>Generate certificates </li></ul><ul><li>Problems with pointing to correct certificates </li></ul><ul><ul><li>Needed to fix configuration files </li></ul></ul><ul><li>Problems with nomenclature </li></ul><ul><ul><li>References to ldaps or StartTLS protocols </li></ul></ul><ul><li>Changed configuration from ldaps to ldap and enabled StartTLS </li></ul>
  13. 13. Kerberos Setup <ul><li>Create and initialize realm </li></ul><ul><li>Create principles for all hosts, users, and services </li></ul><ul><li>Change PAM from using LDAP to Kerberos </li></ul><ul><li>LDAP still needed for other reasons </li></ul><ul><li>Install Kerberos keys into the key stores of all clients </li></ul><ul><li>All machines must have the correct date and time </li></ul><ul><ul><li>Validate session for ticket </li></ul></ul>Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU
  14. 14. Kerberos (contd)‏ <ul><li>User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. </li></ul><ul><li>Users must recreate their password, so migrating from LDAP on a large network may not be feasible. </li></ul>
  15. 15. SSH Setup <ul><li>Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials </li></ul><ul><li>GSSAPIAuthentication yes </li></ul><ul><li>GSSAPICleanupCredentials yes </li></ul><ul><li>GssapiKeyExchange yes </li></ul><ul><li>AllowTcpForwarding yes </li></ul><ul><li>Modify the SSH Client configuration to send GSSAPI credentials when connecting </li></ul><ul><li>GSSAPIAuthentication yes </li></ul><ul><li>GSSAPIDelegateCredentials yes </li></ul><ul><li>Users only need to log in once to SSH anywhere, or use any other Kerberos services. </li></ul>
  16. 16. FTP Setup <ul><li>Setup FTP on Stan </li></ul><ul><li>Needed package “krb5-ftpd” </li></ul><ul><ul><li>“ Kerberized” version of FTP </li></ul></ul><ul><li>Problem in not realizing that server daemon, inetd, wasn't installed </li></ul><ul><ul><li>Manages services by mapping them to a specific ports and launches correct services </li></ul></ul><ul><li>Used “krb-ftp” command on Kenny to test FTP </li></ul><ul><ul><li>Came with the”krb-client” package </li></ul></ul>
  17. 17. NFS Setup <ul><li>NFSv4 </li></ul><ul><li>Setup Server </li></ul><ul><ul><li>Added principles to Kerberos </li></ul></ul><ul><ul><li>Modified exports file </li></ul></ul><ul><ul><li>Ensure RPC services were starting correctly (idmap)‏ </li></ul></ul><ul><li>Setup Client </li></ul><ul><ul><li>RPC services (idmap)‏ </li></ul></ul><ul><ul><li>Import Kerberos Keys </li></ul></ul><ul><ul><li>Recreated key files on all machines </li></ul></ul><ul><ul><li>Verified permissions and mount points </li></ul></ul><ul><ul><li>Setup to automatically mount home directories </li></ul></ul>
  18. 18. IMAP Server <ul><li>Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. </li></ul><ul><li>Kerberos used for authentication, regular password authentication disabled </li></ul><ul><li>LDAP used for user information (e.g. path to their mail directories)‏ </li></ul><ul><li>Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)‏ </li></ul>
  19. 19. IMAP Client <ul><li>Used thunderbird on Kenny as IMAP client </li></ul><ul><li>Must tell thunderbird to use Kerberos </li></ul><ul><ul><li>Option is “Use secure authentication” (different than SSL/TSL)‏ </li></ul></ul><ul><li>Client can receive email after logging in to the desktop without being asked for a password. </li></ul><ul><li>Bonus: Thunderbird doesn’t have to store your email password anywhere, so it’s more secure. </li></ul>
  20. 20. Future Directions <ul><li>Add firewall security </li></ul><ul><li>Add more services such as Apache </li></ul><ul><li>Add multiple platforms </li></ul><ul><li>Add security to SMTP </li></ul>
  21. 21. References <ul><li>Debian (www.debian.org)‏ </li></ul><ul><li>Ubuntu (ubuntuforums.org)‏ </li></ul><ul><li>en.gentoo-wiki.com </li></ul><ul><li>Chris </li></ul>

×