Kerberos : The network authentification protocol
1 like351 views
The document outlines the establishment of the Open Source School in France, supported by a 1.4 million euro government investment, aiming to address the skills shortage in the open-source sector. It details training programs for both initial education and professional development in open-source technologies, with a focus on Kerberos, a network authentication protocol. Additionally, it covers various aspects of Kerberos, including its implementation, web applications, and integration with Active Directory, emphasizing its central role in secure authentication.
![The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab
MIT Kerberos 5
MIT client config
[ l i b d e f a u l t s ]
d e f a u l t r e a l m = FORMATION.TLD
[ realms ]
FORMATION.TLD = {
kdc = 1 9 2 . 1 6 8 . 0 . 2
a d m i n s e r v e r = 1 9 2 . 1 6 8 . 0 . 2
}
[ domain realm ]
. mylan = FORMATION.TLD
www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/25](https://image.slidesharecdn.com/07-osskerberos-thenetworkauthentificationprotocol-160526152428-180725091253/85/Kerberos-The-network-authentification-protocol-18-320.jpg)
Kerberos : The network authentification protocol
- 1. Kerberos The Network Authentication Protocol
- 2. 1 La 1ère école 100 % dédiée à l'open source Open Source School est fondée à l'initiative de Smile, leader de l'intégration et de l'infogérance open source, et de l'EPSI,établissement privé pionnier de l’enseignement supérieur en informatique. Dans le cadre du Programme d’Investissements d’Avenir (PIA), le gouvernement français a décidé de soutenir la création de cette école en lui attribuant une première aide de 1,4M€ et confirme sa volonté de soutenir la filière du Logiciel Libre actuellement en plein développement. Avec une croissance annuelle de plus de 10%, et 4 000 postes vacants chaque année dans le secteur du Logiciel Libre, OSS entend répondre à la pénurie de compétences du secteur en mobilisant l’ensemble de l’écosystème et en proposant la plus vaste offre en matière de formation aux technologies open source tant en formation initiale qu'en formation continue.
- 3. 2 Les formations du plein emploi ! Formation Continue Open Source School "Executive Education" est un organisme de formation qui propose un catalogue de plus de 200 formations professionnelles et différents dispositifs de reconversion permettant le retour à l’emploi (POE) ou une meilleure employabilité pour de nombreux professionnels de l’informatique. Pour vos demandes : formations@opensourceschool.fr Formation Initiale 100% logiciels libres et 100% alternance, le cursus Open Source School s’appuie sur le référentiel des blocs de compétences de l’EPSI. Il est sanctionné par un titre de niveau I RNCP, Bac+5. Le programme est proposé dans 6 campus à Bordeaux, Lille, Lyon, Montpellier, Nantes, Paris.
- 4. 3 Nos domaines de formations
- 5. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Plan 1 The Kerberos Protocol 2 Kerberos implementations 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 2/25
- 6. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Network Authentication Today, most authentication protocols consist in : client sends login (in clear) client sends password (in clear) server checks login/password against its database Problems : cleartext (enclosing the whole session in TLS mitigates this) you need to authenticate every time you use a service every server needs an up-to-date copy of the password database www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 3/25
- 7. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Enter Kerberos Kerberos is : an authentication mechanism NOT a directory NOT an authorization mechanism centralized : only one password database, servers no longer store passwords security-focused : it can run safely over insecure networks (eavesdropping, replay...) SSO : you only use you password once www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 4/25
- 8. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab The big picture www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 5/25
- 9. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Kerberos and the DNS Kerberos relies on DNS to find servers and principals Which realm a particular host belongs to : kerberos.part.of.fqdn TXT "KERBEROS.TLD" What servers to contact for this realm kerberos. udp.realm SRV 0 0 88 krbsrv kerberos-master. udp.realm SRV 0 0 88 krbsrv kerberos-adm. tcp.realm SRV 0 0 749 krbsrv kpasswd. udp.realm SRV 0 0 464 krbsrv Kerberos uses reverse DNS to find the principal attached to a host www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 6/25
- 10. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Vocabulary Ticket : cryptographic material exchanged by parties TGT : Ticket-Granting Ticket ST : Service Ticket KDC : Key Distribution Server AS : Authentication Server (grants TGT) TGS : Ticket-Granting Server (grants ST) SS : Service Server principal : identifier of a secret keytab : holds cryptographic material on SS www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 7/25
- 11. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Cross-realm authentication 0 A secret is echanged between the two KDC 1 The client gets a TGT to the server KDC from it’s own KDC 2 The client gets a ST from the server KDC, using this TGT 3 The client authenticates to the server using this ST www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 8/25
- 12. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Prerequisites, best practices All clocks must be in sync forward and reverse DNS have to be consistent, and have to match the server’s hostname no NAT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 9/25
- 13. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Plan 1 The Kerberos Protocol 2 Kerberos implementations MIT Kerberos 5 Active Directory 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 10/25
- 14. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab MIT Kerberos 5 Plan 1 The Kerberos Protocol 2 Kerberos implementations MIT Kerberos 5 Active Directory 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 11/25
- 15. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab MIT Kerberos 5 Overview Reference Kerberos implementation since the 1980s Support domain trust, master-slave delayed replication Can use LDAP backend MIT KDC can be trusted by a Windows domain MIT client can login to a Windows domain www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 12/25
- 16. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab MIT Kerberos 5 MIT server krb5kdc KDC, distributes tickets and TGT can be replicated kadmind server for admin operation also password changes only one kadmin.local local kerberos administration www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 13/25
- 17. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab MIT Kerberos 5 MIT client kadmin : remote kerberos administration kinit/kdestroy : get TGT / destroy all tickets kpasswd : change password klist : list current tickets ktutil : keytab operations www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 14/25
- 18. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab MIT Kerberos 5 MIT client config [ l i b d e f a u l t s ] d e f a u l t r e a l m = FORMATION.TLD [ realms ] FORMATION.TLD = { kdc = 1 9 2 . 1 6 8 . 0 . 2 a d m i n s e r v e r = 1 9 2 . 1 6 8 . 0 . 2 } [ domain realm ] . mylan = FORMATION.TLD www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 15/25
- 19. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Active Directory Plan 1 The Kerberos Protocol 2 Kerberos implementations MIT Kerberos 5 Active Directory 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 16/25
- 20. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Active Directory Overview Active Directory uses Kerberos for SSO EEE at first, got better since Kerberos is tightly integrated into AD Workstations usually login to AD Can export keytab for third-party applications www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 17/25
- 21. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Active Directory Built-in Every AD domain has a KDC and a principal database Users get a TGT when they log in Kerberos is preferred over NTLM for SSO in the domaine However, when Kerberos fails, NTLM is used as a fallback Samba in ADS security configuration can use AD Kerberos Apache with mod auth kerb can use AD Kerberos www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 18/25
- 22. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Active Directory Creating principals Creating a user autimatically creates a new login@domain principal To create a service principal, you must create a dummy account Samba works around this using the machine account it’s liked to use ktpass to assign a principal to a user and generate a keytab for MIT www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 19/25
- 23. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Plan 1 The Kerberos Protocol 2 Kerberos implementations 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 20/25
- 24. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab HTTP-Negotiate SPNEGO/GSSAPI/Kerberos Supported in major browsers Server sends 401 : WWW-Authenticate: Negotiate Client sends its service ticket along with the request Every request has to be sent twice www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 21/25
- 25. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Guidelines The application needs to be modified You should only configure kerberos auth on the login from Alternatively : setup CAS+Kerberos Kerberos is only auth : you need something else to find info about the user (LDAP, internal db...) If you integrate with AD : you will need a server keytab PHP : Apache mod auth kerb Tomcat/JBoss : JAAS www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 22/25
- 26. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Apache mod auth kerb apache must be allowed to read the keytab AuthType Kerberos KrbMethodNegotiate on KrbMethodK5Passwd on KrbServiceName HTTP/something@REALM : Only use this if you must Krb5Keytab /etc/apache2/keytab : better use a separate keytab KrbSaveCredentials on : if the client allows delegation, its credentials are tranferred to the web server, you can then use the TGT stored in the $KRB5CCNAME file, this file is destroyed at the end of the request. www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 23/25
- 27. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Plan 1 The Kerberos Protocol 2 Kerberos implementations 3 Kerberos for web applications 4 Lab www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 24/25
- 28. The Kerberos Protocol Kerberos implementations Kerberos for web applications Lab Goals 1 Setup a MIT Kerberos KDC 2 Use GSSAPI auth on a ssh server 3 Setup a kerberized web server 4 Change the web server to authenticate against an Active Direcory server www.opensourceschool.fr – Licence Creative Commons (CC BY-SA 3.0 FR) – 25/25