SSO with kerberos

  • Published on

  • View

  • Download

Embed Size (px)


<ul><li>1.Single Sign-on with Kerberos <ul><li><ul><li>Chris Eberle </li></ul></li></ul></li></ul> <ul><li><ul><li>Ryan Thomas </li></ul></li></ul> <ul><li><ul><li>RC Johnson </li></ul></li></ul> <ul><li><ul><li>Kim-Lan Tran </li></ul></li></ul> <ul><li><ul><li>CS-591 Fall 2008 </li></ul></li></ul> <p>2. Introduction: Services </p> <ul><li>Example of network services </li></ul> <ul><li><ul><li>Email </li></ul></li></ul> <ul><li><ul><li>Shell Accounts </li></ul></li></ul> <ul><li><ul><li>Websites </li></ul></li></ul> <ul><li>Each traditionally responsible for authenticating users </li></ul> <ul><li><ul><li>Duplicate user information </li></ul></li></ul> <ul><li>LDAP solves duplication problem by acting as directory service </li></ul> <ul><li><ul><li>User must still authenticate each time service is accessed </li></ul></li></ul> <p>3. Single Sign-on </p> <ul><li>Motivation </li></ul> <ul><li><ul><li>Gets rid of constant password prompts </li></ul></li></ul> <ul><li><ul><li>System administrator manages one group of users instead of several groups for different services </li></ul></li></ul> <ul><li><ul><li>User only has one password to remember </li></ul></li></ul> <ul><li>Technique used to validate user's identity only once and give secure access to all network services </li></ul> <p>4. Project Outline </p> <ul><li>Setup Kerberos</li></ul> <ul><li><ul><li>Popular mechanism used to achieve single sign-on </li></ul></li></ul> <ul><li>Setup 3 virtual machines on a network </li></ul> <ul><li>Setup various network services </li></ul> <ul><li><ul><li>SSH </li></ul></li></ul> <ul><li><ul><li>FTP </li></ul></li></ul> <ul><li><ul><li>NFS </li></ul></li></ul> <ul><li><ul><li>Mail </li></ul></li></ul> <p>5. LDAP Overview </p> <ul><li>Lightweight Directory Access Protocol </li></ul> <ul><li>Stores information about users, groups, DNS, or any database utilizing service </li></ul> <ul><li>Can add, modify, and query for information </li></ul> <p>6. LDAP Choice </p> <ul><li>Chose OpenLDAP </li></ul> <ul><li><ul><li>Created in 1998 </li></ul></li></ul> <ul><li><ul><li>Loosely based on LDAP server at University of Michigan </li></ul></li></ul> <ul><li><ul><li>Uses insecure communication mechanism </li></ul></li></ul> <ul><li><ul><li> One of the team members may have killed himself if we used a proprietary implementation </li></ul></li></ul> <ul><li>Other LDAP choices </li></ul> <ul><li><ul><li>Active Directory by Microsoft </li></ul></li></ul> <ul><li><ul><li>Open Directory by Novell </li></ul></li></ul> <ul><li><ul><li>Red Hat Directory Server by Red Hat </li></ul></li></ul> <p>7. SSL Overview </p> <ul><li>Secure Socket Layer </li></ul> <ul><li>Protocol used to ensure that data transferred over networks are encrypted </li></ul> <ul><li><ul><li>Prevents tampering and eavesdropping </li></ul></li></ul> <ul><li>Use OpenSSL </li></ul> <ul><li><ul><li>Implements SSL and newer protocol TLS (Transport Layer Security) </li></ul></li></ul> <p>8. Kerberos Overview </p> <ul><li>Way to securely prove one's identity over network </li></ul> <ul><li>Open source application developed by MIT</li></ul> <ul><li>Made up of two parts </li></ul> <ul><li><ul><li>Authentication server </li></ul></li></ul> <ul><li><ul><li>Ticket granting server </li></ul></li></ul> <ul><li>Ticket is granted after user authenticated </li></ul> <ul><li><ul><li>Use symmetric key cryptography </li></ul></li></ul> <ul><li><ul><li>Expires after period of time </li></ul></li></ul> <ul><li>User presents ticket to service </li></ul> <ul><li><ul><li>Service authenticates user without prompting for password </li></ul></li></ul> <p>9. Kerberos Diagram 10. Project Design </p> <ul><li>3 Virtual Machines named Kenny, Cartman, and Stan </li></ul> <ul><li>Cartman (Debian Lenny) </li></ul> <ul><li><ul><li>Central server </li></ul></li></ul> <ul><li><ul><li>LDAP, Kerberos, NTPserver </li></ul></li></ul> <ul><li>Stan (Debian Lenny) </li></ul> <ul><li><ul><li>Secondary server </li></ul></li></ul> <ul><li><ul><li>Mail, NFS, FTP </li></ul></li></ul> <ul><li>Kenny (Ubuntu 8.04) </li></ul> <ul><li><ul><li>Client </li></ul></li></ul> <ul><li>All three run SSH servers </li></ul> <ul><li>Kenny and Cartman mount Stan's NFS share </li></ul> <ul><li>Does not accept RSA or DSA keys in SSH </li></ul> <ul><li>Mail client on Kenny does not store passwords </li></ul> <p>11. LDAP Setup </p> <ul><li>Serves as base for user information </li></ul> <ul><li>Used BDB database for backend </li></ul> <ul><li>Challenge to find different configuration files on Debian and Ubuntu </li></ul> <ul><li>Tell name services to use LDAP </li></ul> <ul><li>Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP </li></ul> <ul><li>Removed all local accounts from machines </li></ul> <p>12. SSL Setup </p> <ul><li>Generate certificates </li></ul> <ul><li>Problems with pointing to correct certificates </li></ul> <ul><li><ul><li>Needed to fix configuration files </li></ul></li></ul> <ul><li>Problems with nomenclature </li></ul> <ul><li><ul><li>References to ldaps or StartTLS protocols </li></ul></li></ul> <ul><li>Changed configuration from ldaps to ldap and enabled StartTLS </li></ul> <p>13. Kerberos Setup </p> <ul><li>Create and initialize realm </li></ul> <ul><li>Create principles for all hosts, users, and services </li></ul> <ul><li>Change PAM from using LDAP to Kerberos </li></ul> <ul><li>LDAP still needed for other reasons </li></ul> <ul><li>Install Kerberos keys into the key stores of all clients </li></ul> <ul><li>All machines must have the correct date and time </li></ul> <ul><li><ul><li>Validate session for ticket </li></ul></li></ul> <p>Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU 14. Kerberos (contd) </p> <ul><li>User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. </li></ul> <ul><li>Users must recreate their password, so migrating from LDAP on a large network may not be feasible. </li></ul> <p>15. SSH Setup </p> <ul><li>Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials </li></ul> <ul><li>GSSAPIAuthentication yes </li></ul> <ul><li>GSSAPICleanupCredentials yes </li></ul> <ul><li>GssapiKeyExchange yes </li></ul> <ul><li>AllowTcpForwarding yes </li></ul> <ul><li>Modify the SSH Client configuration to send GSSAPI credentials when connecting </li></ul> <ul><li>GSSAPIAuthentication yes </li></ul> <ul><li>GSSAPIDelegateCredentials yes </li></ul> <ul><li>Users only need to log in once to SSH anywhere, or use any other Kerberos services. </li></ul> <p>16. FTP Setup </p> <ul><li>Setup FTP on Stan </li></ul> <ul><li>Needed package krb5-ftpd </li></ul> <ul><li><ul><li> Kerberized version of FTP </li></ul></li></ul> <ul><li>Problem in not realizing that server daemon, inetd, wasn't installed </li></ul> <ul><li><ul><li>Manages services by mapping them to a specific ports and launches correct services </li></ul></li></ul> <ul><li>Used krb-ftp command on Kenny to test FTP </li></ul> <ul><li><ul><li>Came with thekrb-client package </li></ul></li></ul> <p>17. NFS Setup </p> <ul><li>NFSv4 </li></ul> <ul><li>Setup Server </li></ul> <ul><li><ul><li>Added principles to Kerberos </li></ul></li></ul> <ul><li><ul><li>Modified exports file </li></ul></li></ul> <ul><li><ul><li>Ensure RPC services were starting correctly (idmap) </li></ul></li></ul> <ul><li>Setup Client </li></ul> <ul><li><ul><li>RPC services (idmap) </li></ul></li></ul> <ul><li><ul><li>Import Kerberos Keys </li></ul></li></ul> <ul><li><ul><li>Recreated key files on all machines </li></ul></li></ul> <ul><li><ul><li>Verified permissions and mount points </li></ul></li></ul> <ul><li><ul><li>Setup to automatically mount home directories </li></ul></li></ul> <p>18. IMAP Server </p> <ul><li>Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. </li></ul> <ul><li>Kerberos used for authentication, regular password authentication disabled </li></ul> <ul><li>LDAP used for user information (e.g. path to their mail directories) </li></ul> <ul><li>Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though) </li></ul> <p>19. IMAP Client </p> <ul><li>Used thunderbird on Kenny as IMAP client </li></ul> <ul><li>Must tell thunderbird to use Kerberos </li></ul> <ul><li><ul><li>Option is Use secure authentication (different than SSL/TSL) </li></ul></li></ul> <ul><li>Client can receive email after logging in to the desktop without being asked for a password. </li></ul> <ul><li>Bonus: Thunderbird doesnt have to store your email password anywhere, so its more secure. </li></ul> <p>20. Future Directions </p> <ul><li>Add firewall security </li></ul> <ul><li>Add more services such as Apache </li></ul> <ul><li>Add multiple platforms </li></ul> <ul><li>Add security to SMTP </li></ul> <p>21. References </p> <ul><li>Debian ( </li></ul> <ul><li>Ubuntu ( </li></ul> <ul><li> </li></ul> <ul><li>Chris </li></ul>


View more >