1
Cross-Cell Authentication Using Configurable Authentication Paths
Douglas E. Engert
[email protected] National Laboratory
11/05/96
2
Introduction
What is Cross-Cell Authentication? How Kerberos and DCE implement it What’s wrong with this? Configurable Authentication Paths Results of testing Futures
3
Definitions
Cell Vs Realm Security Server Vs KDC /.../cellname/user Vs user@realm principal and account Vs principal
4
Cross-Cell Authentication
A user in one cell can authenticate to a service in another cell
Feature of Kerberos Version 4 - Direct cell to cell Version 5 - Allows intermediate cell
Requires cell_admins to setup shared keys
Kerberos Basics Key Distribution Center KDC or DCE Security Server
Client Server
Cache
kinit APPL APPLD
User
Cross Cell AuthenticationShared Keys
Client’s KDC KDC 1 KDC 2 Server’s KDC
User Server
Cross Cell AuthenticationClient’s KDC KDC 1 KDC 2 Server’s KDC
Client Server
Cache
kinit APPL APPLD
User
8
Hierarchical Organization of Cells
“Realms are typically organized hierarchically”RFC 1510 Section 1.1
Kerberos 5 use DNS style DCE uses cell aliases They don’t interoperate
9
Kerberos 5 Hierarchy
Right to left separator is “.”A.B.C B.CCZ.CY.Z.C
10
DCE Hierarchy
Left to Right separator is “/”/c/b/a /c/b/c/c/z/c/z/y
Requires user to specify the hierarchy Transitive Trust
11
What's wrong with this?
The world is not hierarchical How does ANL.GOV authenticate to
WIDGET.COMWho runs GOV, COM, EDU, ORG cells?
Can’t belong to more then one hierarchy DCE and K5 do not interoperate Hierarchy is tied to the realm name
Cross Cell
Cross Cell
Cross Cell
Cross Cell
16
Configurable Authentication Paths
“Realms are typically organized hierarchically.... If a hierarchical organization is not used, it may be necessary to consult some database in order to construct an authentication path between realms.”RFC1510 Section 1.1
So use a database!
17
Configurable Authentication Paths
lib/krb5/krb/walk_rtree.c Return the authentication path based on client and
server realmsUsed by client to find authentication pathUsed by server to check transited field
Has been incorporated in MIT Kerberos 5 beta 6 and beta 7
krb5.conf New section [capaths]
Why Check the Transited Field ?
abc
abc ghi
def
Client: abc Server: ghi Transited field: def
Bogus client: abc Server:ghi Transited Field: xyz,jkl,def
DCE 1.0.3 did not check!
xyz
jkl
19
Testing CAPATH in DCE
Modified DCE 1.1 walk_rtree.c Kept simple to show proof of concept walk_rtree.c is in shared libdce capath.conf
equivalent to krb5.conf [capaths] information
20
capath.conf
client-cell server-cell intermediates dce.anl.gov dce.es.net .dce.anl.gov dce.pnl.gov dce.es.net
dce.es.net dce.anl.gov .dce.pnl.gov dce.anl.gov dce.es.net
dce.es.net dce.pnl.gov .dce.pnl.gov dce.es.net .
n*(n-1) number of records Each cell need 2*(n-1) records
21
Testing CAPATH in DCE
Need modified libdce.so on server and security server
Need modified libdce.so on client AIX 4.1.4 - relinked libdce.a Solaris 2.5 - setenv LD_PRELOAD HP - Have not figured out a way yet
Cross Cell Authentication
Cache
dce_login rlogin klogind
User
dce.anl.govHP
dce.es.netTransarc
dce.pnl.govTransarc
secd secd secd
AIX
libdce.so
23
Cache
pembroke% /krb5/bin/rlogin moonbeam.pnl.gov -x -l engert This rlogin session is using DES encryption for all data transmissions. Last login: Thu Oct 24 17:01:49 from pembroke.ctd.anl Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 moonbeam.pnl.gov% exit moonbeam.pnl.gov% logout Connection closed. pembroke% /krb5/bin/klist Ticket cache: /opt/dcelocal/var/security/creds/dcecred_626fb170 Default principal: [email protected]
Valid starting Expires Service principal 25 Oct 96 09:03:01 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:03:17 25 Oct 96 19:03:01 afsx/[email protected] 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:10:31 25 Oct 96 19:03:01 host/[email protected]
Cross Cell Authentication
Cache
dce_login rgy_edit RPC
User
dce.anl.govHP
dce.es.netTransarc
dce.pnl.govTransarc
secd secd secd
AIX
libdce.so
libdce.solibdce.so
25
Cache
Klist output Default principal: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: [email protected] Server: krbtgt/[email protected] Server: krbtgt/[email protected] Server: [email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: [email protected]
Cross Cell Authentication
Cache
dce_login DFS DFS
User
dce.anl.govHP
dce.es.netTransarc
dce.pnl.govTransarc
secd secd secd
AIX
libdce.so
libdce.solibdce.so
27
Compatibility
Defaults to previous method if:capath.conf not foundclient-server record not found
Works with MIT Kerberos
28
Futures
Request OSF and HP incorporate the modification
Replace capath.conf file Store in registryLocally cached by dced
Public key for cross-cell capath.conf then becomes list of trusted CAs
29
ESnet Pilot Project
Final Report and Recommendations of the ESnet Authentication Pilot Project G. R. Johnson PNLC. L. Athey LLNLD. E. Engert ANLJ. P. Moore PNLJ. E. Ramus NERSC
http://www.es.net/pub/esnet-doc/auth-and-security/auth-pilot-report.ps
30
The End
31
Cross-Cell Authentication Using Configurable Authentication Paths
Douglas E. Engert
[email protected] National Laboratory
10/31/96