Kerberos : The network authentification protocol

Kerberos
The Network Authentication Protocol

1
La 1ère école 100 % dédiée à l'open source
Open Source School est fondée à l'initiative de Smile, leader de
l'intégration et de l'infogérance open source, et de l'EPSI,établissement
privé pionnier de l’enseignement supérieur en informatique.
Dans le cadre du Programme d’Investissements d’Avenir (PIA), le
gouvernement français a décidé de soutenir la création de cette école en
lui attribuant une première aide de 1,4M€ et confirme sa volonté de
soutenir la filière du Logiciel Libre actuellement en plein développement.
Avec une croissance annuelle de plus de 10%, et 4 000
postes vacants chaque année dans le secteur du Logiciel
Libre, OSS entend répondre à la pénurie de compétences du
secteur en mobilisant l’ensemble de l’écosystème et en
proposant la plus vaste offre en matière de formation aux
technologies open source tant en formation initiale qu'en
formation continue.

2
Les formations du plein emploi !
 Formation Continue
Open Source School "Executive Education" est un organisme
de formation qui propose un catalogue de plus de 200
formations professionnelles et différents dispositifs de
reconversion permettant le retour à l’emploi (POE) ou une
meilleure employabilité pour de nombreux professionnels de
l’informatique.
 Pour vos demandes : formations@opensourceschool.fr
 Formation Initiale
100% logiciels libres et 100% alternance, le cursus Open
Source School s’appuie sur le référentiel des blocs de
compétences de l’EPSI.
Il est sanctionné par un titre de niveau I RNCP, Bac+5.
Le programme est proposé dans 6 campus à Bordeaux, Lille,
Lyon, Montpellier, Nantes, Paris.

The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
Plan
1 The Kerberos Protocol
2 Kerberos implementations
3 Kerberos for web applications
4 Lab
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/25

Network Authentication
Today, most authentication protocols consist in :
client sends login (in clear)
client sends password (in clear)
server checks login/password against its database
Problems :
cleartext (enclosing the whole session in TLS mitigates this)
you need to authenticate every time you use a service
every server needs an up-to-date copy of the password
database

Enter Kerberos
Kerberos is :
an authentication mechanism
NOT a directory
NOT an authorization mechanism
centralized : only one password database, servers no longer
store passwords
security-focused : it can run safely over insecure networks
(eavesdropping, replay...)
SSO : you only use you password once

The big picture

Kerberos and the DNS
Kerberos relies on DNS to ﬁnd servers and principals
Which realm a particular host belongs to :
kerberos.part.of.fqdn TXT "KERBEROS.TLD"
What servers to contact for this realm
kerberos. udp.realm SRV 0 0 88 krbsrv
kerberos-master. udp.realm SRV 0 0 88 krbsrv
kerberos-adm. tcp.realm SRV 0 0 749 krbsrv
kpasswd. udp.realm SRV 0 0 464 krbsrv
Kerberos uses reverse DNS to ﬁnd the principal attached to a host

Vocabulary
Ticket : cryptographic material exchanged by parties
TGT : Ticket-Granting Ticket
ST : Service Ticket
KDC : Key Distribution Server
AS : Authentication Server (grants TGT)
TGS : Ticket-Granting Server (grants ST)
SS : Service Server
principal : identiﬁer of a secret
keytab : holds cryptographic material on SS

Cross-realm authentication
0 A secret is echanged between the two KDC
1 The client gets a TGT to the server KDC from it’s own KDC
2 The client gets a ST from the server KDC, using this TGT
3 The client authenticates to the server using this ST

Prerequisites, best practices
All clocks must be in sync
forward and reverse DNS have to be consistent, and have to
match the server’s hostname
no NAT

Plan
MIT Kerberos 5
Active Directory
4 Lab

MIT Kerberos 5
Plan
MIT Kerberos 5
Active Directory
4 Lab

MIT Kerberos 5
Overview
Reference Kerberos implementation since the 1980s
Support domain trust, master-slave delayed replication
Can use LDAP backend
MIT KDC can be trusted by a Windows domain
MIT client can login to a Windows domain

MIT Kerberos 5
MIT server
krb5kdc
KDC, distributes tickets and TGT
can be replicated
kadmind
server for admin operation
also password changes
only one
kadmin.local
local kerberos administration

MIT Kerberos 5
MIT client
kadmin : remote kerberos administration
kinit/kdestroy : get TGT / destroy all tickets
kpasswd : change password
klist : list current tickets
ktutil : keytab operations

MIT Kerberos 5
MIT client conﬁg
[ l i b d e f a u l t s ]
d e f a u l t r e a l m = FORMATION.TLD
[ realms ]
FORMATION.TLD = {
kdc = 1 9 2 . 1 6 8 . 0 . 2
a d m i n s e r v e r = 1 9 2 . 1 6 8 . 0 . 2
}
[ domain realm ]
. mylan = FORMATION.TLD

Active Directory
Plan
MIT Kerberos 5
Active Directory
4 Lab

Active Directory
Overview
Active Directory uses Kerberos for SSO
EEE at ﬁrst, got better since
Kerberos is tightly integrated into AD
Workstations usually login to AD
Can export keytab for third-party applications

Active Directory
Built-in
Every AD domain has a KDC and a principal database
Users get a TGT when they log in
Kerberos is preferred over NTLM for SSO in the domaine
However, when Kerberos fails, NTLM is used as a fallback
Samba in ADS security conﬁguration can use AD Kerberos
Apache with mod auth kerb can use AD Kerberos

Active Directory
Creating principals
Creating a user autimatically creates a new login@domain
principal
To create a service principal, you must create a dummy
account
Samba works around this using the machine account it’s liked
to
use ktpass to assign a principal to a user and generate a
keytab for MIT

Plan
4 Lab

HTTP-Negotiate
SPNEGO/GSSAPI/Kerberos
Supported in major browsers
Server sends 401 : WWW-Authenticate: Negotiate
Client sends its service ticket along with the request
Every request has to be sent twice

Guidelines
The application needs to be modified
You should only configure kerberos auth on the login from
Alternatively : setup CAS+Kerberos
Kerberos is only auth : you need something else to find info
about the user (LDAP, internal db...)
If you integrate with AD : you will need a server keytab
PHP : Apache mod auth kerb
Tomcat/JBoss : JAAS

Apache mod auth kerb
apache must be allowed to read the keytab
AuthType Kerberos
KrbMethodNegotiate on
KrbMethodK5Passwd on
KrbServiceName HTTP/something@REALM : Only use this if
you must
Krb5Keytab /etc/apache2/keytab : better use a separate
keytab
KrbSaveCredentials on : if the client allows delegation, its
credentials are tranferred to the web server, you can then use
the TGT stored in the $KRB5CCNAME ﬁle, this ﬁle is destroyed
at the end of the request.

Plan
4 Lab

Goals
1 Setup a MIT Kerberos KDC
2 Use GSSAPI auth on a ssh server
3 Setup a kerberized web server
4 Change the web server to authenticate against an Active
Direcory server

Kerberos : The network authentification protocol

Recommended

Recommended

More Related Content

What's hot

What's hot (8)

Similar to Kerberos : The network authentification protocol

Similar to Kerberos : The network authentification protocol (20)

Recently uploaded

Recently uploaded (20)

Kerberos : The network authentification protocol