SlideShare a Scribd company logo

SSO with kerberos

Download as PPT, PDF
Claudia Rosu, profile picture
Claudia Rosu

The document discusses setting up single sign-on authentication across multiple services on a network using Kerberos and LDAP. It describes creating three virtual machines - one as a central Kerberos/LDAP server and the other two as clients and additional servers. Various network services like SSH, FTP, NFS, and IMAP were configured to use Kerberos for authentication by setting up Kerberos tickets, principals, and configuring the services and clients. LDAP was used to store user information while Kerberos provided single sign-on authentication. Thunderbird email client on a client machine could then retrieve email without additional passwords after initial desktop login.

Technology
1 of 21
Downloaded 97 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
Single Sign-on with Kerberos Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008
Introduction: Services Example of network services Email Shell Accounts Websites Each traditionally responsible for authenticating users Duplicate user information LDAP solves duplication problem by acting as directory service User must still authenticate each time service is accessed
Single Sign-on Motivation Gets rid of constant password prompts System administrator manages one group of users instead of several groups for different services User only has one password to remember Technique used to validate user's identity only once and give secure access to all network services
Project Outline Setup Kerberos Popular mechanism used to achieve single sign-on Setup 3 virtual machines on a network Setup various network services SSH FTP NFS Mail
LDAP Overview Lightweight Directory Access Protocol Stores information about users, groups, DNS, or any database utilizing service Can add, modify, and query for information
LDAP Choice Chose OpenLDAP Created in 1998 Loosely based on LDAP server at University of Michigan Uses insecure communication mechanism “ One of the team members may have killed himself if we used a proprietary implementation” Other LDAP choices Active Directory by Microsoft Open Directory by Novell Red Hat Directory Server by Red Hat
SSL Overview Secure Socket Layer Protocol used to ensure that data transferred over networks are encrypted Prevents tampering and eavesdropping Use OpenSSL Implements SSL and newer protocol TLS (Transport Layer Security)‏
Kerberos Overview Way to securely prove one's identity over network Open source application developed by MIT Made up of two parts Authentication server Ticket granting server Ticket is granted after user authenticated Use symmetric key cryptography Expires after period of time User presents ticket to service Service authenticates user without prompting for password
Kerberos Diagram
Project Design 3 Virtual Machines named Kenny, Cartman, and Stan Cartman (Debian Lenny)‏ Central server LDAP, Kerberos, NTPserver Stan (Debian Lenny)‏ Secondary server Mail, NFS, FTP Kenny (Ubuntu 8.04)‏ Client All three run SSH servers Kenny and Cartman mount Stan's NFS share Does not accept RSA or DSA keys in SSH Mail client on Kenny does not store passwords
LDAP Setup Serves as base for user information Used BDB database for backend Challenge to find different configuration files on Debian and Ubuntu Tell name services to use LDAP Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP Removed all local accounts from machines
SSL Setup Generate certificates Problems with pointing to correct certificates Needed to fix configuration files Problems with nomenclature References to ldaps or StartTLS protocols Changed configuration from ldaps to ldap and enabled StartTLS
Kerberos Setup Create and initialize realm Create principles for all hosts, users, and services Change PAM from using LDAP to Kerberos LDAP still needed for other reasons Install Kerberos keys into the key stores of all clients All machines must have the correct date and time Validate session for ticket Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU
Kerberos (contd)‏ User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. Users must recreate their password, so migrating from LDAP on a large network may not be feasible.
SSH Setup Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials GSSAPIAuthentication yes GSSAPICleanupCredentials yes GssapiKeyExchange yes AllowTcpForwarding yes Modify the SSH Client configuration to send GSSAPI credentials when connecting GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Users only need to log in once to SSH anywhere, or use any other Kerberos services.
FTP Setup Setup FTP on Stan Needed package “krb5-ftpd” “ Kerberized” version of FTP Problem in not realizing that server daemon, inetd, wasn't installed Manages services by mapping them to a specific ports and launches correct services Used “krb-ftp” command on Kenny to test FTP Came with the”krb-client” package
NFS Setup NFSv4 Setup Server Added principles to Kerberos Modified exports file Ensure RPC services were starting correctly (idmap)‏ Setup Client RPC services (idmap)‏ Import Kerberos Keys Recreated key files on all machines Verified permissions and mount points Setup to automatically mount home directories
IMAP Server Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. Kerberos used for authentication, regular password authentication disabled LDAP used for user information (e.g. path to their mail directories)‏ Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)‏
IMAP Client Used thunderbird on Kenny as IMAP client Must tell thunderbird to use Kerberos Option is “Use secure authentication” (different than SSL/TSL)‏ Client can receive email after logging in to the desktop without being asked for a password. Bonus: Thunderbird doesn’t have to store your email password anywhere, so it’s more secure.
Future Directions Add firewall security Add more services such as Apache Add multiple platforms Add security to SMTP
References Debian (www.debian.org)‏ Ubuntu (ubuntuforums.org)‏ en.gentoo-wiki.com Chris

More Related Content

PDF
Kerberos presentation
Chris Geier
 
PPTX
Kerberos Authentication Process In Windows
niteshitimpulse
 
PDF
Deep Dive In To Kerberos
Ishan A B Ambanwela
 
PPTX
Kerberos
Rahul Pundir
 
PPT
Authentication Application in Network Security NS4
koolkampus
 
PPTX
Kerberos Authentication Protocol
Bibek Subedi
 
PPT
Using Kerberos
anusachu .
 
PPTX
Kerberos ppt
OECLIB Odisha Electronics Control Library
 
Kerberos presentation
Chris Geier
 
Kerberos Authentication Process In Windows
niteshitimpulse
 
Deep Dive In To Kerberos
Ishan A B Ambanwela
 
Kerberos
Rahul Pundir
 
Authentication Application in Network Security NS4
koolkampus
 
Kerberos Authentication Protocol
Bibek Subedi
 
Using Kerberos
anusachu .
 
Kerberos ppt
OECLIB Odisha Electronics Control Library
 

What's hot (20)

RTF
Kerberos case study
Mayuri Patil
 
PDF
Kerberos
Sparkbit
 
PPTX
Kerberos authentication
Suraj Singh
 
PPTX
Kerberos
Sutanu Paul
 
PPTX
Kerberos : An Authentication Application
Vidulatiwari
 
PPT
Kerberos (1)
Ana Salas Elizondo
 
PDF
An Introduction to Kerberos
Shumon Huque
 
PPTX
Kerberos
RafatSamreen
 
PPTX
Kerberos
Sudeep Shouche
 
PPTX
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
PPT
Kerberos
Mohanasundaram Nattudurai
 
PPTX
Kerberos explained
Dotan Patrich
 
PPTX
Rakesh raj
DBNCOET
 
PPTX
kerberos
sameer farooq
 
PPTX
Kerberos protocol
Ajit Dadresa
 
PPT
Kerberos
Prafull Johri
 
PPTX
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
PPTX
Kerberos
Chaitanya Ram
 
PPTX
Kerberos
AJINKYA PATIL
 
PPTX
Kerberos survival guide-STL 2015
J.D. Wade
 
Kerberos case study
Mayuri Patil
 
Kerberos
Sparkbit
 
Kerberos authentication
Suraj Singh
 
Kerberos
Sutanu Paul
 
Kerberos : An Authentication Application
Vidulatiwari
 
Kerberos (1)
Ana Salas Elizondo
 
An Introduction to Kerberos
Shumon Huque
 
Kerberos
RafatSamreen
 
Kerberos
Sudeep Shouche
 
Kerberos and its application in cross realm operations
Arunangshu Bhakta
 
Kerberos
Mohanasundaram Nattudurai
 
Kerberos explained
Dotan Patrich
 
Rakesh raj
DBNCOET
 
kerberos
sameer farooq
 
Kerberos protocol
Ajit Dadresa
 
Kerberos
Prafull Johri
 
SPS Ozarks 2012: Kerberos Survival Guide
J.D. Wade
 
Kerberos
Chaitanya Ram
 
Kerberos
AJINKYA PATIL
 
Kerberos survival guide-STL 2015
J.D. Wade
 
Ad

Viewers also liked (11)

PDF
Using NoSQL databases to store RADIUS and Syslog data
Karri Huhtanen
 
PDF
Plone and Single-Sign On - Active Directory and the Holy Grail
Matt Hamilton
 
PPTX
Transport Layer Security
Chhatra Thapa
 
PDF
SSL/TLS
pavansmiles
 
PPTX
Transport Layer Security (TLS)
Arun Shukla
 
PPT
Secure Socket Layer (SSL)
amanchaurasia
 
PPTX
Ssl (Secure Socket Layer)
Sandeep Gupta
 
PPT
Secure Socket Layer
Naveen Kumar
 
PPT
Introduction to Secure Sockets Layer
Nascenia IT
 
PDF
SAP Single Sign-On 2.0 Overview
SAP Technology
 
PDF
Instant Single Sign-On and Two-Factor Authentication
Maarten Ectors
 
Using NoSQL databases to store RADIUS and Syslog data
Karri Huhtanen
 
Plone and Single-Sign On - Active Directory and the Holy Grail
Matt Hamilton
 
Transport Layer Security
Chhatra Thapa
 
SSL/TLS
pavansmiles
 
Transport Layer Security (TLS)
Arun Shukla
 
Secure Socket Layer (SSL)
amanchaurasia
 
Ssl (Secure Socket Layer)
Sandeep Gupta
 
Secure Socket Layer
Naveen Kumar
 
Introduction to Secure Sockets Layer
Nascenia IT
 
SAP Single Sign-On 2.0 Overview
SAP Technology
 
Instant Single Sign-On and Two-Factor Authentication
Maarten Ectors
 
Ad

Similar to SSO with kerberos (20)

PDF
Building Open Source Identity Management with FreeIPA
LDAPCon
 
ODP
Cl116
Juliette Ponnet
 
PPTX
Rhel4
Yash Gulati
 
ODP
Cl212
Juliette Ponnet
 
PPTX
Presentation1.pptx
achutachut
 
PDF
Computer network (4)
NYversity
 
PPT
Introduction to distributed security concepts and public key infrastructure m...
Information Security Awareness Group
 
PPT
Windows Server2008 Overview 090222022333 Phpapp01
rakiin
 
PPT
Windows Server2008 Overview
Zernike College
 
PPT
Chapter 06
cclay3
 
PPTX
Implementation of secure email server in cloud environment copy1
Solmaz Salehian
 
PPT
Chapter 03
cclay3
 
ODP
Ubuntu For Intranet Services
Dom Cimafranca
 
PPTX
Hadoop security
Kashif Khan
 
DOCX
Install ldap server
Mawardi 12
 
DOCX
Install ldap server
Mawardi 12
 
PPTX
Linux Based Network Proposal
Chris Riccio
 
PPT
Application layer protocols
JUW Jinnah University for Women
 
PPTX
System and network administration network services
Uc Man
 
PDF
Kamailio - Secure Communication
Daniel-Constantin Mierla
 
Building Open Source Identity Management with FreeIPA
LDAPCon
 
Cl116
Juliette Ponnet
 
Rhel4
Yash Gulati
 
Cl212
Juliette Ponnet
 
Presentation1.pptx
achutachut
 
Computer network (4)
NYversity
 
Introduction to distributed security concepts and public key infrastructure m...
Information Security Awareness Group
 
Windows Server2008 Overview 090222022333 Phpapp01
rakiin
 
Windows Server2008 Overview
Zernike College
 
Chapter 06
cclay3
 
Implementation of secure email server in cloud environment copy1
Solmaz Salehian
 
Chapter 03
cclay3
 
Ubuntu For Intranet Services
Dom Cimafranca
 
Hadoop security
Kashif Khan
 
Install ldap server
Mawardi 12
 
Install ldap server
Mawardi 12
 
Linux Based Network Proposal
Chris Riccio
 
Application layer protocols
JUW Jinnah University for Women
 
System and network administration network services
Uc Man
 
Kamailio - Secure Communication
Daniel-Constantin Mierla
 

Recently uploaded (20)

PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PPTX
Cloud computing and distributed systems.
kkkkkhan
 
PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
PDF
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
PDF
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
PDF
Approach and Philosophy of On baking technology
30anthuong17
 
PDF
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
PDF
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PDF
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Profit Center Accounting in SAP S/4HANA, S4F28 Col11
Libreria ERP
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Cloud computing and distributed systems.
kkkkkhan
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
Per capita expenditure prediction using model stacking based on satellite ima...
IAESIJAI
 
7 ChatGPT Prompts to Help You Define Your Ideal Customer Profile.pdf
SOFTTECHHUB
 
Assigned Numbers - 2025 - Bluetooth® Document
Bloombase
 
Approach and Philosophy of On baking technology
30anthuong17
 
cuic standard and advanced reporting.pdf
SimoneTitaniumTomase
 
Building Integrated photovoltaic BIPV_UPV.pdf
SandeepSingh286037
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Unlocking AI with Model Context Protocol (MCP)
Brian McKeiver
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 

SSO with kerberos

  • 1. Single Sign-on with Kerberos Chris Eberle Ryan Thomas RC Johnson Kim-Lan Tran CS-591 Fall 2008
  • 2. Introduction: Services Example of network services Email Shell Accounts Websites Each traditionally responsible for authenticating users Duplicate user information LDAP solves duplication problem by acting as directory service User must still authenticate each time service is accessed
  • 3. Single Sign-on Motivation Gets rid of constant password prompts System administrator manages one group of users instead of several groups for different services User only has one password to remember Technique used to validate user's identity only once and give secure access to all network services
  • 4. Project Outline Setup Kerberos Popular mechanism used to achieve single sign-on Setup 3 virtual machines on a network Setup various network services SSH FTP NFS Mail
  • 5. LDAP Overview Lightweight Directory Access Protocol Stores information about users, groups, DNS, or any database utilizing service Can add, modify, and query for information
  • 6. LDAP Choice Chose OpenLDAP Created in 1998 Loosely based on LDAP server at University of Michigan Uses insecure communication mechanism “ One of the team members may have killed himself if we used a proprietary implementation” Other LDAP choices Active Directory by Microsoft Open Directory by Novell Red Hat Directory Server by Red Hat
  • 7. SSL Overview Secure Socket Layer Protocol used to ensure that data transferred over networks are encrypted Prevents tampering and eavesdropping Use OpenSSL Implements SSL and newer protocol TLS (Transport Layer Security)‏
  • 8. Kerberos Overview Way to securely prove one's identity over network Open source application developed by MIT Made up of two parts Authentication server Ticket granting server Ticket is granted after user authenticated Use symmetric key cryptography Expires after period of time User presents ticket to service Service authenticates user without prompting for password
  • 10. Project Design 3 Virtual Machines named Kenny, Cartman, and Stan Cartman (Debian Lenny)‏ Central server LDAP, Kerberos, NTPserver Stan (Debian Lenny)‏ Secondary server Mail, NFS, FTP Kenny (Ubuntu 8.04)‏ Client All three run SSH servers Kenny and Cartman mount Stan's NFS share Does not accept RSA or DSA keys in SSH Mail client on Kenny does not store passwords
  • 11. LDAP Setup Serves as base for user information Used BDB database for backend Challenge to find different configuration files on Debian and Ubuntu Tell name services to use LDAP Configure PAM (Pluggable Authentication Modules) to authenticate against LDAP Removed all local accounts from machines
  • 12. SSL Setup Generate certificates Problems with pointing to correct certificates Needed to fix configuration files Problems with nomenclature References to ldaps or StartTLS protocols Changed configuration from ldaps to ldap and enabled StartTLS
  • 13. Kerberos Setup Create and initialize realm Create principles for all hosts, users, and services Change PAM from using LDAP to Kerberos LDAP still needed for other reasons Install Kerberos keys into the key stores of all clients All machines must have the correct date and time Validate session for ticket Example principles: host/stan@VAST.UCCS.EDU imap/stan@VAST.UCCS.EDU [email_address] root/admin@VAST.UCCS.EDU
  • 14. Kerberos (contd)‏ User authentication handled by Kerberos, but user information (user id, groups, shell, home directory, etc) still handled by LDAP. Users must recreate their password, so migrating from LDAP on a large network may not be feasible.
  • 15. SSH Setup Modify the SSH Server configuration to accept GSSAPI (Kerberos) credentials GSSAPIAuthentication yes GSSAPICleanupCredentials yes GssapiKeyExchange yes AllowTcpForwarding yes Modify the SSH Client configuration to send GSSAPI credentials when connecting GSSAPIAuthentication yes GSSAPIDelegateCredentials yes Users only need to log in once to SSH anywhere, or use any other Kerberos services.
  • 16. FTP Setup Setup FTP on Stan Needed package “krb5-ftpd” “ Kerberized” version of FTP Problem in not realizing that server daemon, inetd, wasn't installed Manages services by mapping them to a specific ports and launches correct services Used “krb-ftp” command on Kenny to test FTP Came with the”krb-client” package
  • 17. NFS Setup NFSv4 Setup Server Added principles to Kerberos Modified exports file Ensure RPC services were starting correctly (idmap)‏ Setup Client RPC services (idmap)‏ Import Kerberos Keys Recreated key files on all machines Verified permissions and mount points Setup to automatically mount home directories
  • 18. IMAP Server Set up dovecot (popular IMAP server) with secure SSL extensions on Stan. Kerberos used for authentication, regular password authentication disabled LDAP used for user information (e.g. path to their mail directories)‏ Set up a quick-n-dirty postfix install to allow delivery of mail (no Kerberos though)‏
  • 19. IMAP Client Used thunderbird on Kenny as IMAP client Must tell thunderbird to use Kerberos Option is “Use secure authentication” (different than SSL/TSL)‏ Client can receive email after logging in to the desktop without being asked for a password. Bonus: Thunderbird doesn’t have to store your email password anywhere, so it’s more secure.
  • 20. Future Directions Add firewall security Add more services such as Apache Add multiple platforms Add security to SMTP
  • 21. References Debian (www.debian.org)‏ Ubuntu (ubuntuforums.org)‏ en.gentoo-wiki.com Chris