The MIT Kerberos Administrator’s How
-to Guide
Protocol, Installation and Single Sign On
WWW.ALMUHIBBIN.CO.CC
© 2008 by the MIT Kerberos Consortium Ver. July 23, 2008Page 1 of 62
The MIT Kerberos Administrator’s How
-to Guide
Protocol, Installation and Single Sign On
By Jean-Yves Migeon
Contents
1. First part - Introducing Kerberos1. Unix historical authentication and authorization system: NIS2. How does Kerberos work?3. Ticket Exchange Service4. Authentication mechanism - Ticket Granting Tickets1. Pre-authentication2. 1
step: Authentication Service Request - AS_REQUEST3. 2
step: Authentication Service Reply - AS_REPLY5. Service's use mechanism - Ticket Granting Service1. 1
step: Ticket Granting Service Request - TGS_REQUEST2. 2
step: Ticket Granting Service Reply - TGS_REPLY3. 3
step: Contacting service6. Conclusion2. Second part - Deploying Kerberos1. Installing Kerberos MIT2. Server configuration3. Client configuration1. Clock sync2. DNS and reverse DNS4. Migrating from an existing database1. Using PAM2. Using an HTTP authentication3. Third part - Using Services with Kerberos
The MIT Kerberos Administrator’s How
-to Guide
Protocol, Installation and Single Sign On
WWW.ALMUHIBBIN.CO.CC
1. General thoughts2. Traditional host services3. OpenSSH1. Server configuration, ssh-server.foobar.com2. Client configuration, frank.foobar.com4. PAM5. OpenLDAP6. Apache1. Server side2. Client side7. NFSv3 and 41. NFS Service configuration2. NFS Server 3. NFS Client4. Troubleshooting NFS with Kerberos8. Postgresql9. Servers' redundancy1. The simple way2. The more technical way10. Servers' replication1. Configuring the master 2. Configuring the slave3. Propagation4. Propagation failed?11. Cross Realm Authentication1. Theory2. Configuration4. Glossary5. Troubleshooting6. Footnotes
The MIT Kerberos Administrator’s How
-to Guide
Protocol, Installation and Single Sign On
WWW.ALMUHIBBIN.CO.CC
7. References
First part - Introducing Kerberos
In the real world, identification is something we, as human beings, do naturally: through physical appearance,voice patterns, or even scent. It is based on the assumption that those attributes are unique, and that they can betrusted. This ability provides us with the possibility to distinguish one person from another.However, when put in a situation where we're not able to use those attributes to identify someone, as in a phone call for example, we're left with finding some other means to prove our identitys. We sometimesidentify ourselves with what is called a "shared secret", where one party asks the other party to prove hisidentity through information that is only known by both, like a password.When we add a computer to this mechanism, with an identification that needs to be provided over a network,things are going a little more complex. Sending this "shared secret", or password, over an unsecured network can be compared to shouting your password in a crowded room.Many authentication mechanisms were developped during the last decade to solve those problems; Kerberos isone of them. Often seen as an advanced system that offers many more advantages over commonly used setups,such as distributed authentication based on Network Information Server (NIS). This white paper is intended tointroduce, describe, and explain a Kerberos environnement, and how to deploy such system for maximumefficiency with Single Sign On (SSO).
Unix historical authentication and authorization system: NIS
Today, NIS remains the system of choice for network authentication and authorization, were it is used in anenvironment that consists of a server (containing all the necessary directory services,like
/etc/passwd
and
/etc/shadow
1
), and clients, which need this information to allow (or deny) access to certain persons. NIS (and his counterpart, NIS+) were developed with "central authentication" in mind: administrators have the possibility to create realm accounts, and, with the help of file sharing systems (like NFS), share profiles over an entire network. NIS is easy to set up and manage, which makes it so popular. However, it remains fundamentaly flawed on thesecurity front. For example, NIS communications are cleartext based. Even unpriviledged users are able todisplay the content of the passwd database, through yp (yellow pages) commands. NIS does not provide any kind of Single Sign On mechanisms, the ability to securely store authenticators onthe client, preventing the user to re-enter passwords when accessing services (file sharing, intranet, mails, ...).All in all, on the authentication side, NIS has some flaws that Kerberos tends to solve with his ownimplementation.Those flaws are:1.
No secure propagation of user authenticators. With some time, anyone using a sniffer is able to get allthe cleartext or hashed password propagated on the network. With Kerberos, password never cross thenetwork, even on first login.
Search History:
Result 00 of 00
00 results for result for
p.
2008 by the MIT Kerberos
the MIT Kerberos, overview full of Kerberos server implementation
641
Reads
0
Readcasts
0
Embed Views
More From This User
Notes
Load more
