SSO with kerberos

Embed Size (px)

Text of SSO with kerberos

  • 1.Single Sign-on with Kerberos
      • Chris Eberle
    • Ryan Thomas
    • RC Johnson
    • Kim-Lan Tran
    • CS-591 Fall 2008

2. Introduction: Services

  • Example of network services
    • Email
    • Shell Accounts
    • Websites
  • Each traditionally responsible for authenticating users
    • Duplicate user information
  • LDAP solves duplication problem by acting as directory service
    • User must still authenticate each time service is accessed

3. Single Sign-on

  • Motivation
    • Gets rid of constant password prompts
    • System administrator manages one group of users instead of several groups for different services
    • User only has one password to remember
  • Technique used to validate user's identity only once and give secure access to all network services

4. Project Outline

  • Setup Kerberos
    • Popular mechanism used to achieve single sign-on
  • Setup 3 virtual machines on a network
  • Setup various network services
    • SSH
    • FTP
    • NFS
    • Mail

5. LDAP Overview

  • Lightweight Directory Access Protocol
  • Stores information about users, groups, DNS, or any database utilizing service
  • Can add, modify, and query for information

6. LDAP Choice

  • Chose OpenLDAP
    • Created in 1998
    • Loosely based on LDAP server at University of Michigan
    • Uses insecure communication mechanism
    • One of the team members may have killed himself if we used a proprietary implementation
  • Other LDAP choices
    • Active Directory by Microsoft
    • Open Directory by Novell
    • Red Hat Directory Server by Red Hat

7. SSL Overview

  • Secure Socket Layer
  • Protocol used to ensure that data transferred over networks are encrypted
    • Prevents tampering and eavesdropping
  • Use OpenSSL
    • Implements SSL and newer protocol TLS (Transport Layer Security)

8. Kerberos Overview

  • Way to securely prove one's identity over network
  • Open source application developed by MIT
  • Made up of two parts
    • Authentication server
    • Ticket granting server
  • Ticket is granted after user authenticated
    • Use symmetric key cryptography
    • Expires after period of time
  • User presents ticket to service
    • Service authenticates user without prompting for password

9. Kerberos Diagram 10. Project Design

  • 3 Virtual Machines named Kenny, Cartman, and Stan
  • Cartman (Debian Lenny)
    • Central server
    • LDAP, Kerberos, NTPserver
  • Stan (Debian Lenny)
    • Secondary server
    • Mail, NFS, FTP
  • Kenny (Ubuntu 8.04)
    • Client
  • All three run SSH servers
  • Kenny and Cartman mount Stan's NFS share
  • Does not accept RSA or DSA keys in SSH
  • Mail client on Kenny does not store passwords

11. LDAP Setup

  • Serves as base for user information
  • Used BDB database for backend
  • Challenge to find different configuration files on Debian and Ubuntu
  • Tell name services to use LDAP
  • Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP
  • Removed all local accounts from machines

12. SSL Setup

  • Generate certificates
  • Problems with pointing to correct certificates
    • Needed to fix configuration files
  • Problems with nomenclature
    • References to ldaps or StartTLS protocols
  • Changed configuration from ldaps to ldap and enabled StartTLS

13. Kerberos Setup

  • Create and initialize realm
  • Create principles for all hosts, users, and services
  • Change PAM from using LDAP to Kerberos
  • LDAP still needed for other reasons
  • Install Kerberos keys into the key stores of all clients
  • All machines must have the correct date and time
    • Validate session for ticket

Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU 14. Kerberos (contd)

  • User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP.
  • Users must recreate their password, so migrating from LDAP on a large network may not be feasible.

15. SSH Setup

  • Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials
  • GSSAPIAuthentication yes
  • GSSAPICleanupCredentials yes
  • GssapiKeyExchange yes
  • AllowTcpForwarding yes
  • Modify the SSH Client configuration to send GSSAPI credentials when connecting
  • GSSAPIAuthentication yes
  • GSSAPIDelegateCredentials yes
  • Users only need to log in once to SSH anywhere, or use any other Kerberos services.

16. FTP Setup

  • Setup FTP on Stan
  • Needed package krb5-ftpd
    • Kerberized version of FTP
  • Problem in not realizing that server daemon, inetd, wasn't installed
    • Manages services by mapping them to a specific ports and launches correct services
  • Used krb-ftp command on Kenny to test FTP
    • Came with thekrb-client package

17. NFS Setup

  • NFSv4
  • Setup Server
    • Added principles to Kerberos
    • Modified exports file
    • Ensure RPC services were starting correctly (idmap)
  • Setup Client
    • RPC services (idmap)
    • Import Kerberos Keys
    • Recreated key files on all machines
    • Verified permissions and mount points
    • Setup to automatically mount home directories

18. IMAP Server

  • Set up dovecot (popular IMAP server) with secure SSL extensions on Stan.
  • Kerberos used for authentication, regular password authentication disabled
  • LDAP used for user information (e.g. path to their mail directories)
  • Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)

19. IMAP Client

  • Used thunderbird on Kenny as IMAP client
  • Must tell thunderbird to use Kerberos
    • Option is Use secure authentication (different than SSL/TSL)
  • Client can receive email after logging in to the desktop without being asked for a password.
  • Bonus: Thunderbird doesnt have to store your email password anywhere, so its more secure.

20. Future Directions

  • Add firewall security
  • Add more services such as Apache
  • Add multiple platforms
  • Add security to SMTP

21. References

  • Debian (
  • Ubuntu (
  • Chris