Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Kerberos ...

  • 04-09-2001 5:36pm
    #1
    Trojan
    Registered Users, Registered Users 2 Posts: 16,414 ✭✭✭✭


    Intro:
    <font face="Verdana, Arial" size="2">
    Kerberos is a distributed authentication service that allows a process (a client) running on behalf of a principal (a user) to prove its identity to a verifier (an
    application server, or just server) without sending data across the network that might allow an attacker or the verifier to subsequently impersonate the principal.
    Kerberos optionally provides integrity and confidentiality for data sent between the client and server. Kerberos was developed in the mid-'80s as part of MIT's
    Project Athena. As use of Kerberos spread to other environments, changes were needed to support new policies and patterns of use. To address these
    needs, design of Version 5 of Kerberos (V5) began in 1989. Though V4 still runs at many sites, V5 is considered to be standard Kerberos. </font>
    <font face="Verdana, Arial" size="2">
    It's typically used when a user on a network is attempting to make use of a network service, and the service wants
    assurance that the user is who he says he is. To that end, the user presents a ticket that is issued by the Kerberos authentication server (AS), much as a
    driver's license is issued by the DMV. The service then examines the ticket to verify the identity of the user. If all checks out, then the user is accepted.

    Therefore, this ticket must contain information linking it unequivocally to the user. Since the user and the service don't meet face to face (whatever that would
    mean), a photo is of no use. No, the ticket must demonstrate that the bearer knows something only its intended user would know, such as a password.
    Furthermore, there must be safeguards against an attacker stealing the ticket, and using it later.
    </font>

    http://web.mit.edu/kerberos/www/
    http://www.ietf.org/rfc/rfc1510.txt?number=1510
    http://www.isi.edu/gost/info/kerberos/
    http://www.isi.edu/gost/publications/kerberos-neuman-tso.html

    ---

    Does anyone use it? On what OS?

    What do you use it for?

    Do you think it's cool or crap?

    I'm interested in seeing if people are implementing this stuff.

    Cheers,
    Al.

    🎙️ The Recognized Authority Podcast



Comments

  • #2
    tHE vAGGABOND
    Registered Users, Registered Users 2 Posts: 6,693 ✭✭✭tHE vAGGABOND


    In a nutshell, Kerberos is an authentication mechanism that makes sure that "You are who you say you are."

    its popular, popular enough to get into most distro's in one form or another.

    if you care about security you can do most of the things it does yourself, via a script or manually.

    There are a few packages that are very similar, names depend on what type of unix yer inta!

    [This message has been edited by tHE vAGGABOND (edited 05-09-2001).]


  • #3
    ego
    Closed Accounts Posts: 21 ego


    Hi,

    Kerberos is a single sign-on solution. It allows a user to supply a username/password combination once and to be granted a ticket to identify the initial authentication. The user then supplies this ticket as authentication credentials to services which they care to access.

    e.g. Typical Unix authentication sequence

    (1) User runs kinit for a particular realm on their local workstation, the kinit requests a Ticket Granting Ticket from the Ticket Granting Server/Key Distribution Centre (TGS/KDC).

    (2) The KDC generates a ticket and encrypts it using the users password (which is stored on the KDC).

    (3) Kinit requests the password from the user and uses this to decrypt the encrypted ticket.

    (4) The user can then use the ticket to identify them during authentication for kerberized services in their specific access range in a particular realm (defined on the KDC).

    (5) The user then uses a kerberized client (e.g. SSH, Sudo, ksu, etc) to gain a level of access to a service, be it interactive logon, file sharing (NetBIOS shares on windows), etc. When accessing such a service as opposed to the normal prompt of username/password the kerberized client will offer a ticket to the service, the service then contacts the KDC to verify the authenticity of the ticket, success = service granted.

    This removes the necessity for a user to continually authenticate with each service they wish to access, thus limiting the amount of times a user must send their password accross the network. You might argue that this is irrelevant when encryption is used on the wire, however it does prevent statistical analysis of weak/flawed encryption methods [1]

    Tickets have life times, when they expire the user must reauth with the KDC to generate a new ticket which they can then use to authenticate with their favourite kerberized service. That is basically how kerberos works. There is a lot of information out there, google is your friend. I would suggest avoiding the rfc's until you have a firm understanding of the basics.

    To answer your questions:

    Does anyone use it?

    Yes, single sign-on solutions are quite common. Morgan Stanley use it (large financial instituation), many Universities in the US use it, etc etc. As for operating systems, kerberos is the default authentication system used under Windows 2000 [2], MIT kerberos is available for most UNIX based operating systems and Heimdal [3] (A free implementation of Kerberos) has made its way into the base of FreeBSD, OpenBSD, NetBSD and Debian.

    What do you use it for?

    To facilitate single sign-on and strong authentication. Having a ticket matched to specific credentials and permissible for use in defined domains allows for a nice distributed scalable authentication system, which is quite managable.

    Do you think its cool or crap?

    Very cool, although the initial authentication sequence could do with being strengthened a tad (see PKINIT and HARDWARE_PREAUTH). So once these make it into the code base (I have good word from Assar - Heimdal Developer - that PKINIT has been developed and will be integrated soon).

    Are people using it?

    I do :) although I can't give you specific details :P Morgan Stanley use it [4]

    As for some of the answers given by "tHE vAGGABOND",

    Most authentication systems (apart from rlogin) are supposed to verify "you are who you say you are" - this is the essence of authenticity. Kerberos by default has a pretty weak initial authentication given that it relies on passwords, as we all know passwords are bad. See above for extensions to that.

    I would be interested in seeing an implementation of all of the features of kerberos being done by a bash script ;)

    I suggest you read up more on the protocol, its significantly more complex than adding users to a host over scp (to make it secure). I'm not attempting to slate you, I just think you might have misunderstood the concept of Kerberos by making those claims. Feel free to correct me.

    Regards,
    Dave.

    References:

    [1] Passive Analysis of SSH Traffic: http://www.cs.sfu.ca/~yyua/personal/courses/project/pre_report.html
    [2] Windows 2000 Kerberos Authentication - http://www.microsoft.com/windows2000/techinfo/howitworks/security/kerberos.asp
    [3] Heimdal, a free implementation of Kerberos 5 - http://www.pdc.kth.se/heimdal/
    [4] Kerberos on Wall Street - http://www.usenix.org/publications/library/proceedings/sec96/full_papers/hollander/


Advertisement