MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

Kerberos - Protocol for Authentication & Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers
MIT Kerberos

Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software EngineersIdentity Management
Implementation / OS Linux Windows MacOS
MIT Kerberos
Active Directory
Heimdal
MIT Kerberos where
MIT
MIT Kerberos is project written in C since 1980s.
Open Source and Free: https://github.com/krb5/krb5
Last release: 1.16.1 (2018-05-03)
MIT License
Official Website | Tutorial | Documentation | Guide
Distribution | Release Linux | Historic
RFC | CVE | FAQ
MIT Kerberos
Kerberos (V5) is network authentication and authorization protocol with several implementations.
"Kerberos allows to secure communications on untrusted networks but where each node is trusted"

Kerberos Features
Features
● Kerberos is in place, mature, and stable and performant with symmetrical key
● Mutual authentication, integrity and confidentiality of communication
● Protected against eavesdropping and replay attacks
● No exposed Passwords, it should never be exposed during authentication (no password in code, call network or log ...)
● Not only HTTP but can secure other communication channels (SSH, login, ….)
● Largely implemented in each service (client and kerberized server) and libraries to kerberized services
Kerberos secret = Metadata + Kerberos key
Metadata = [ kvno, issue time, encryption, principal ]
Kerberos key = getKey(password, salt, encryption)
Keytabs = container(Kerberos key with Metadata)
in binary file with right permission (owner +0400)
and not encrypted.
Authenticator = { PrincipalClient
, Timestamp }KClient
Ticket-Granting Ticket (TGT) = authentication credential
Service Ticket-Granting (SGT) = authorization credential
Principal = Kerberos entity (User or Service Principal Name)
"Kerberos is primarily used over internal LANs to authenticate users."
SSO
client
service
service
service
Single Sign-On (SSO)
● One authentication to access to group of services.
● Ticket system where long term secrets generate
short term secrets.

Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
AS
AS
Install your KDC:
● create master key
● create your kerberos realm
● configuration
Install Kerberos clients:
● configuration
krb5.conf
krb5.conf
kdc.conf
Kerberos Environment
Kerberos
authentication
Kerberos
Server
Kerberos
client
Kerberos
client
1
Setup
C
S
Creation principals in Kerberos database
2
Provisioning
kerberos configuration
kerberos key
C
S
Deployment on each kerberos client:
● keytabs 3
Secret
deployment
keytab
keytab
Kerberos secrets

keytab
Client (C)
Service (S)
Authentication Server
(AS)
Ticket Granting Server
(TGS)
Key Distribution Center (KDC)
database
C
AS
S
replay
cache
credentials
cache
C S
replay
cache
AS
Kerberos Workflow for Authentication
(3) bis
(3)bis Try to connect to the service but it reclaims Kerberos authentication
and TGS Ticket.
TGS
session
Client and Authentication Server
(1). clear plaintext request for a Ticket Granting Ticket (TGT) with
pre-authentication (should be configured) and authenticator request
(2). user ID lookup in KDC
(3). 2 messages:
- A: TGT (encrypted by AS secret key principal krbtgt/*)
- B: TGS session key (encrypted by client secret key)(1)
(3)
(2)
TGS
session
1
AS_REQUEST,
AS_REPLY
1
Service
session
(6)
(5)
(4)
Client and Ticket Granting Server
(4). 3 messages:
- C: authenticator request (encrypted by TGS Session Key)
- D: clear plaintext request for access Service
- E: TGT
(5). Service lookup in KDC
(6). 2 messages :
F: Service Session Key (encrypted by TGS Session Key)
G: Ticket for Service (encrypted by Service Secret Key)
2
TGS_REQUEST,
TGS_REPLY
2
(9)
(8)
(7)
Service
session
Client and Service
(7). 2 messages:
H: authenticator request (encrypted by Service Session Key)
I: Ticket for Service (encrypted by Service Secret Key)
(8). 1 message:
J: Confirmation of Service identity (encrypted by Service Session Key)
(9). Exchange messages with Service Ticket
3
AP_REQUEST,
AP_REPLY
3
Service
session
TGT
SGT
keytab
Kerberos secrets

REALM A
UPN: An entity performing client requests to some
service. Human or machine.
SPN: An entity processing requests for a specific
service (HTTP, LDAP, SSH …). Machine only.
Trust unilateral: REALM A → REALM B
Trust bilateral: REALM B ← → REALM C
User Principal Name (UPN):
user@REALM
Service Principal Name (SPN):
service/fqdn@REALM
trust unilateral trust bilateral
REALM C
REALM B
Kerberos Realm and Trust for Authorization

Blackbox
exporter
Grafana
collectd/kerberos
exporter
Kerberos
Probe
Health checks Basis metricsTGT & TGS
prometheus
consul
dashboard
for visualisation
elastic search
Logs
Rsyslog
kibana
wireshark
Network Traces
Alertmanager
email page duty slack
Kerberos Monitoring @Criteo
kadmind:749 kpasswd:464
kpropd:754 krb5kdc:88

Discovery
DNS + Consul
Clock synchronisation
NTP
Backup
Storage
Log Analysis
Rsyslog + ES + Kibana
Monitoring & Alerting
Prometheus + Grafana + Graphite
Secret Management
chef-vault + vault
Infrastructure Automation
Chef server
Kerberos client side
Kerberos server side
Technical Stack
service user physical user
chef server
native or LDAP Kerberos
databases
UPN SPN (kerberized service)
Kerberos servers
Technical Stack around Kerberos @Criteo
consul
chef client
chef client
chef client
chef client
Secret deployment
UPN

UPN
Discovery
DNS + Consul
NTP
Backup
Storage
Log Analysis
Secret Management
chef-vault + vault
Chef server
Technical Stack
chef server
databases
Kerberos servers
consul
ntp client
ntp clientntp clientntp client
ntp client

Discovery
DNS + Consul
NTP
Backup
Storage
Log Analysis
Secret Management
chef-vault + vault
Chef server
Technical Stack
chef server
databases
Kerberos servers
UPN
consul
Domain Name Resolution
TGS_REQUEST
Discovery and DNS
Kerberos
client
Kerberos
client
Kerberos
client
Reverse Resolution with PTR records
TGT
Establish Kerberos communication
Round Robin with SRV records
connection
attempt
SGT
TGS_REPLY

proxy
proxy
SSO
client
Implemented HTTP SSO with Kerberos
IIS
Windows
controller
filter
controller
filter
human to machine
machine to machine
Linux

Client application Server application
Kerberos
SPNEGO
user.keytab krb5.conf .java.login.config service.keytab krb5.conf .java.login.config
SASL: Simple Authentication and Security Layer
SPNEGO: Simple and Protected GSS-API Negotiation Mechanism
JAAS: Java Authentication and Authorization Service
GSS-API: Generic Security Service Application Program Interface
Kerberos for your application in Java
client side server side
Establish Kerberos
communication
Krb5LoginModule
JAAS
GSS-API/SASL Krb5LoginModule
JAAS
GSS-API/SASL
Kerberos
SPNEGO

Demo Time
wireshark
Kerberos Servers
kerberos-docker
Apache2
http
Mongo
mongodb
keytab
kinit -R
kinit -k keybab
ssh + delegation
OpenSSH
klist
login/password
credentials
cache in file system
Server javaClient Java
socket
credentials
cache in JVM memory

Wouff…
It is the end!
Kerberos - Protocol for Authentication & Authorization
Gilles LEGOUX, DevOps Engineer @Criteo - SRE CORE IDM team - June 19th, 2018 for MeetUp (Cyber)Security for Software Engineers
MIT Kerberos

Learn Kerberos authentication
● Tutorial Kerberos
○ https://www.kerberos.org/software/tutorial.html
● The MIT Kerberos Administrator’s How-to Guide
○ https://www.kerberos.org/software/adminkerberos.pdf
● Best Practices for Integrating Kerberos into Your Application
○ https://www.kerberos.org/software/appskerberos.pdf
● Why is Kerberos a credible security solution?
○ https://www.kerberos.org/software/whykerberos.pdf
● Kerberos database can be OpenLDAP
○ https://www.openldap.org
● Kerberos: The Definitive Guide O’Reilly
○ http://shop.oreilly.com/product/9780596004033.do
Kerberos for GAFA
● Google
○ Google Search Appliance uses Kerberos
■ https://support.google.com/gsa/answer/6055202?hl=en
● Apple
○ Authentication and Identification In Depth
■ https://developer.apple.com/library/archive/documentation/Security/Conceptual/AuthenticationAndAuthorizationGuide/Authentica
tion/Authentication.html
● Facebook
○ https://developers.facebook.com/docs/workplace/authentication/sso (No public found references)
● Amazon
○ Use Kerberos Authentication
■ https://docs.aws.amazon.com/emr/latest/ManagementGuide/emr-kerberos.html
References

Kerberos implementation
● MIT: MIT Kerberos
○ http://web.mit.edu/kerberos
○ What is Kerberos?
■ http://web.mit.edu/kerberos/www/#what_is
○ MIT Kerberos Consortium
■ http://kerberos.org/software/
○ Source code:
■ GitHub:
● Microsoft: Active Directory
○ https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/get-started/virtual-dc/active-directory-domain-services-overvi
ew
○ What is Kerberos Authentication?
■ https://technet.microsoft.com/pt-pt/library/cc780469(v=ws.10).aspx
○ Microsoft Kerberos
■ https://msdn.microsoft.com/en-us/library/windows/desktop/aa378747(v=vs.85).aspx
● Heimdal: Heimdal Kerberos
○ https://www.h5l.org
○ What is Heimdal/Kerberos?
■ https://github.com/heimdal/heimdal/wiki
○ Source code:
■ Github: https://github.com/heimdal/heimdal/releases
There are other KDC client/server implementations as apache kerby to run KDC "in memory" in Java:
● https://github.com/apache/directory-kerby
References

Single Sign On with Kerberos and SPNEGO
● Microsoft: HTTP-Based Cross-Platform Authentication by Using the Negotiate Protocol
○ https://msdn.microsoft.com/en-us/library/ms995329.aspx
● IBM: Single sign-on for HTTP requests using SPNEGO web authentication in Websphere application
○ https://www.ibm.com/support/knowledgecenter/en/SSD28V_9.0.0/com.ibm.websphere.wlp.core.doc/ae/cwlp_spnego.html
○ https://www.ibm.com/support/knowledgecenter/SS7JFU_8.5.5/com.ibm.websphere.express.doc/ae/csec_SPNEGO_explain.htm
l#csec_SPNEGO_explain__SPNEGOkerb
● SAP: Single Sign-On: Authenticate with Kerberos/SPNEGO
○ https://blogs.sap.com/2017/07/27/sap-single-sign-on-authenticate-with-kerberosspnego/
Operating system Linux and Kerberos
● RedHat (and CentOS): Using Kerberos
○ https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/managing_smart_cards/using_kerberos
● Ubuntu: Kerberos
○ https://help.ubuntu.com/lts/serverguide/kerberos.html.en
● Arch Linux: Kerberos
○ https://wiki.archlinux.org/index.php/Kerberos
● Fedora
○ https://fedoraproject.org/wiki/Infrastructure/Kerberos
(Missing for MACOS and Windows, this presentation is only Linux)
References

Kerberos in Java
● Oracle (and Sun): Single Sign-on Using Kerberos in Java
○ https://docs.oracle.com/javase/10/security/single-sign-using-kerberos-java1.htm
● OpenJDK:
○
● Apache:
○ Apache Kerby:
■ http://directory.apache.org/kerby/
■ source code:
● Github: https://github.com/apache/directory-kerby
○ Hadoop:
■ Hadoop in Secure Mode
● https://hadoop.apache.org/docs/r3.0.0/hadoop-project-dist/hadoop-common/SecureMode.html
■ source code:
● GitHub:
https://github.com/apache/hadoop-common/tree/trunk/hadoop-common-project/hadoop-auth/src/main/java/o
rg/apache/hadoop/security
● Java Server
○ Tomcat
■ https://tomcat.apache.org/tomcat-7.0-doc/windows-auth-howto.html
○ Jetty
■ http://www.eclipse.org/jetty/documentation/current/spnego-support.html
○ Jboss
■ https://developer.jboss.org/wiki/HowToImplementKerberosAuthenticationWithASimpleRESTWebApp
○ Spring
■ https://spring.io/projects/spring-security-kerberos#overview
References

Kerberos in Python
● Apple:
○ https://github.com/apple/ccs-pykerberos
● Requests:
○ https://github.com/requests/requests-kerberos
● Python GSSAPI
○ https://github.com/pythongssapi
Kerberos with Proxy/Reverse Proxy
● Apache2
○ mod_auth_gssapi
■ https://github.com/modauthgssapi/mod_auth_gssapi
○ mod_auth_kerb
■ http://modauthkerb.sourceforge.net
○ mod_authnz_ldap
■ http://httpd.apache.org/docs/2.2/mod/mod_authnz_ldap.html
● NGINX
○ https://www.nginx.com/blog/nginx-plus-authenticate-users/
● HaProxy
○ https://www.haproxy.com/documentation/aloha/9-5/packetshield/sso/
References

Kerberos and LDAP
● OpenLDAP:
○ https://www.openldap.org
● Microsoft:
○ https://msdn.microsoft.com/en-us/library/aa367008(v=vs.85).aspx
● Ubuntu:
○ https://help.ubuntu.com/lts/serverguide/kerberos-ldap.html.en
○ https://help.ubuntu.com/lts/serverguide/openldap-server.html.en
● MIT:
○ https://web.mit.edu/kerberos/krb5-latest/doc/admin/conf_ldap.html
Kerberos with Wireshark and Tshark
● https://wiki.wireshark.org/Kerberos
● https://www.wireshark.org/docs/man-pages/tshark.html
Kerberos is different
● Kerberos vs SSL/TLS
○ https://www.secureblackbox.com/kb/articles/6-Kerberos.rst
● Kerberos vs SPNEGO
○ https://developer.ibm.com/answers/questions/246107/what-is-the-difference-between-kerberos-and-spnego/
Kerberos GSS-API
● GNU Generic Security:
○ https://www.gnu.org/software/gss/manual/gss.html#GSS_002dAPI-Overview
● Oracle:
○ https://docs.oracle.com/javase/8/docs/technotes/guides/security/jgss/tutorials/index.html
References

Kerberos and RFCs
● RFC 1510 The Kerberos Network Authentication Service (V5) [Obsolete]
● RFC 1964 The Kerberos Version 5 GSS-API Mechanism
● RFC 3961 Encryption and Checksum Specifications for Kerberos 5
● RFC 3962 Advanced Encryption Standard (AES) Encryption for Kerberos 5
● RFC 4120 The Kerberos Network Authentication Service (V5) [Current]
● RFC 4121 The Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Mechanism: Version 2
● RFC 4537 Kerberos Cryptosystem Negotiation Extension
● RFC 4556 Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 4557 Online Certificate Status Protocol (OCSP) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows [Obsolete]
● RFC 5021 Extended Kerberos Version 5 Key Distribution Center (KDC) Exchanges over TCP
● RFC 5349 Elliptic Curve Cryptography (ECC) Support for Public Key Cryptography for Initial Authentication in Kerberos (PKINIT)
● RFC 5868 Problem Statement on the Cross-Realm Operation of Kerberos
● RFC 5896 Generic Security Service Application Program Interface (GSS-API): Delegate if Approved by Policy
● RFC 6111 Additional Kerberos Naming Constraints
● RFC 6112 Anonymity Support for Kerberos
● RFC 6113 A Generalized Framework for Kerberos Pre-Authentication
● RFC 6251 Using Kerberos Version 5 over the Transport Layer Security (TLS) Protocol
● RFC 6448 The Unencrypted Form of Kerberos 5 KRB-CRED Message
● RFC 6542 Kerberos Version 5 Generic Security Service Application Program Interface (GSS-API) Channel Binding Hash Agility
● RFC 6560 One-Time Password (OTP) Pre-Authentication
● RFC 6649 Deprecate DES, RC4-HMAC-EXP, and Other Weak Cryptographic Algorithms in Kerberos
● RFC 6784 Kerberos Options for DHCPv6
● RFC 6803 Camellia Encryption for Kerberos 5
● RFC 6806 Kerberos Principal Name Canonicalization and Cross-Realm Referrals
● RFC 6880 An Information Model for Kerberos Version
See https://en.wikipedia.org/wiki/Kerberos_(protocol) and https://datatracker.ietf.org/doc/search/?name=Kerberos&sort=&rfcs=on
References

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

Recommended

Recommended

More Related Content

What's hot

What's hot (20)

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo

Similar to MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo (20)

Recently uploaded

Recently uploaded (20)

MeetUp: Kerberos - Protocol for Authentication & Authorization @Criteo