Welcome to Scribd, the world's digital library. Read, publish, and share books and documents. See more
Download
Standard view
Full view
of .
Save to My Library
Look up keyword
Like this
1Activity
0 of .
Results for:
No results containing your search query
P. 1
2008 by the MIT Kerberos

2008 by the MIT Kerberos

Ratings: (0)|Views: 88 |Likes:
Published by Irfan Irawan Cbn
the MIT Kerberos, overview full of Kerberos server implementation
the MIT Kerberos, overview full of Kerberos server implementation

More info:

Published by: Irfan Irawan Cbn on Mar 27, 2010
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

10/23/2012

pdf

text

original

 
The MIT Kerberos Administrator’s How 
-to Guide
 
 Protocol, Installation and Single Sign On
 
WWW.ALMUHIBBIN.CO.CC 
© 2008 by the MIT Kerberos Consortium Ver. July 23, 2008Page 1 of 62
The MIT Kerberos Administrator’s How
-to Guide
 
Protocol, Installation and Single Sign On
 
By Jean-Yves Migeon
 
Contents
 
1. First part - Introducing Kerberos1. Unix historical authentication and authorization system: NIS2. How does Kerberos work?3. Ticket Exchange Service4. Authentication mechanism - Ticket Granting Tickets1. Pre-authentication2. 1
 
step: Authentication Service Request - AS_REQUEST3. 2
 
step: Authentication Service Reply - AS_REPLY5. Service's use mechanism - Ticket Granting Service1. 1
 
step: Ticket Granting Service Request - TGS_REQUEST2. 2
 
step: Ticket Granting Service Reply - TGS_REPLY3. 3
 
step: Contacting service6. Conclusion2. Second part - Deploying Kerberos1. Installing Kerberos MIT2. Server configuration3. Client configuration1. Clock sync2. DNS and reverse DNS4. Migrating from an existing database1. Using PAM2. Using an HTTP authentication3. Third part - Using Services with Kerberos
 
The MIT Kerberos Administrator’s How 
-to Guide
 
 Protocol, Installation and Single Sign On
 
WWW.ALMUHIBBIN.CO.CC 
1. General thoughts2. Traditional host services3. OpenSSH1. Server configuration, ssh-server.foobar.com2. Client configuration, frank.foobar.com4. PAM5. OpenLDAP6. Apache1. Server side2. Client side7. NFSv3 and 41. NFS Service configuration2. NFS Server 3. NFS Client4. Troubleshooting NFS with Kerberos8. Postgresql9. Servers' redundancy1. The simple way2. The more technical way10. Servers' replication1. Configuring the master 2. Configuring the slave3. Propagation4. Propagation failed?11. Cross Realm Authentication1. Theory2. Configuration4. Glossary5. Troubleshooting6. Footnotes
 
The MIT Kerberos Administrator’s How 
-to Guide
 
 Protocol, Installation and Single Sign On
 
WWW.ALMUHIBBIN.CO.CC 
7. References
First part - Introducing Kerberos
 
In the real world, identification is something we, as human beings, do naturally: through physical appearance,voice patterns, or even scent. It is based on the assumption that those attributes are unique, and that they can betrusted. This ability provides us with the possibility to distinguish one person from another.However, when put in a situation where we're not able to use those attributes to identify someone, as in a phone call for example, we're left with finding some other means to prove our identitys. We sometimesidentify ourselves with what is called a "shared secret", where one party asks the other party to prove hisidentity through information that is only known by both, like a password.When we add a computer to this mechanism, with an identification that needs to be provided over a network,things are going a little more complex. Sending this "shared secret", or password, over an unsecured network can be compared to shouting your password in a crowded room.Many authentication mechanisms were developped during the last decade to solve those problems; Kerberos isone of them. Often seen as an advanced system that offers many more advantages over commonly used setups,such as distributed authentication based on Network Information Server (NIS). This white paper is intended tointroduce, describe, and explain a Kerberos environnement, and how to deploy such system for maximumefficiency with Single Sign On (SSO).
Unix historical authentication and authorization system: NIS
 
Today, NIS remains the system of choice for network authentication and authorization, were it is used in anenvironment that consists of a server (containing all the necessary directory services,like
 /etc/passwd 
and
 /etc/shadow
1
), and clients, which need this information to allow (or deny) access to certain persons. NIS (and his counterpart, NIS+) were developed with "central authentication" in mind: administrators have the possibility to create realm accounts, and, with the help of file sharing systems (like NFS), share profiles over an entire network. NIS is easy to set up and manage, which makes it so popular. However, it remains fundamentaly flawed on thesecurity front. For example, NIS communications are cleartext based. Even unpriviledged users are able todisplay the content of the passwd database, through yp (yellow pages) commands. NIS does not provide any kind of Single Sign On mechanisms, the ability to securely store authenticators onthe client, preventing the user to re-enter passwords when accessing services (file sharing, intranet, mails, ...).All in all, on the authentication side, NIS has some flaws that Kerberos tends to solve with his ownimplementation.Those flaws are:1.
 
 No secure propagation of user authenticators. With some time, anyone using a sniffer is able to get allthe cleartext or hashed password propagated on the network. With Kerberos, password never cross thenetwork, even on first login.

You're Reading a Free Preview

Download
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->