afs and kerberos 5
play

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory - PowerPoint PPT Presentation

Oct 21, 2022 •129 likes •251 views

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

  1. AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory

  2. Kerberos Use in AFS, “old school” • Kerberos implementation based on V4 protocol. • Client-server transport uses RX. • Raw Kerberos binary ticket placed in credential cache by klog/aklog (instead of Kerberos AP_REQ). • AFS kaserver also implements a standard Kerberos V4 server (used by the Windows client)

  3. How does this appear to users/ admins? • Admins create & manage users via kaserver utilities (kas, uss). • Users authenticate to AFS via klog, AFS- aware login program, etc etc. • Generally Kerberos is the only Kerberos service utilized by users.

  4. Kerberos 5 with AFS, the old way • Different Kerberos implementations allow the import of the kaserver database into the Kerberos 5 DB, so users can keep their passwords during a switch. • However, AFS only understands a Kerberos V4 ticket, so a vanilla Kerberos 5 ticket won’t work. • The solution is to use the Kerberos 524 service (krb524d) that can translate a Kerberos V5 ticket into a Kerberos V4 ticket. • Depending on your Kerberos client implementation, this may be done via kinit/login/pam_module or a separate aklog program.

  5. Extra Pieces To Make Life Easier • To prevent a cell-wide flag day, you want to support the “old” authentication mechanism (klog & friends) during a transition period. • To make this work, you can use fakeka (MIT) or the Heimdal KDC to support the AFS kaserver protocol. • This gives you the same user passwords no matter which program (V5 kinit, klog) you use to authenticate.

  6. How does this appear to users/ admins? • Users use kinit to authenticate, Kerberos-aware login program, appropriate PAM module, etc etc. Depending on you Kerberos, kinit/login may run aklog for you, or you have to run it by hand. • Since the TGT is always kept around, generally more sites in this configuration use other Kerberos services. • Admins create & manage users via Kerberos 5 admin suite. • Since the users no longer appear in a kaserver, uss & kas no longer work, so the old account creation process generally has to change.

  7. Items of Note in this Setup • Unsupported by IBM/Transarc (hah!) • The salt algorithm used by AFS, Kerberos V4, and Kerberos V5 are all different. • The AFS Windows client uses Kerberos V4 to the AFS DB servers. • The 524 service uses a port used by a recent Windows virus (4444), so admins may be reluctant to unblock it. • You still need to support single-DES at least for the AFS service (and users if you want klog to still work).

  8. Kerberos 5 with AFS, the new way • A security bug was discovered in Kerberos V4 cross-realm that was a flaw in the base protocol (in other words, there was no possible patch). • The solution was to modify the AFS servers to accept a V5 service ticket as well as a V4 service ticket. • krb524d has been modified in newer Kerberos releases so that it will simply return the unmodified V5 service ticket for the AFS service. • Other than that, everything is the same as the “old way” of doing Kerberos V5.

  9. A Few Extra Items of Note • The maximum size of the AFS token is 344 bytes. This normally isn’t a problem ... unless you’re using MS Kerberos. • Several possible solutions: use a modified krb524d which can strip out the MS PAC information from the ticket (patches from Doug Engert) or set a flag in the MS Kerberos DB to not include PAC information for that principal (coming soon, according to Doug). • The krb524d step is not really necessary (since an aklog has access to the V5 credentials), but adding client-side support for this requires an internal API (or hand-coding ASN.1). Next release of aklog may optionally support this (because of firewall issues).

  10. Cross-Realm Authentication and AFS • We make heavy use of this in production. It works well, but it has a few warts. • You need to create a PTS entry called system: authuser@foreign.realm (note lower case) and give it a high group quota. • Users that cross-realm authenticate with a modern aklog will get automatically created PTS entries (user@foreign.realm). • Foreign realm users don’t appear in system:authuser (but do appear in system:authuser@foreign.realm) • The AFS PTS ID is a high-numbered (>16 bits) id that doesn’t match the user’s Unix uid. This gives a few utilities some problems, but most things work just fine. • Uid mis-match confuses some users, but most don’t notice.

  11. And that’s it! Any Questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos & X.509 11

Kerberos & X.509 11

Kerberos & X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27,

11/27/17 Todays Objec2ves Kerberos Peer To Peer Overlay Networks Final Projects Nov 27, 2017 Sprenkle - CSCI325 1 Kerberos Trusted third party, runs by default on port 88 Security objects: Ticket: token, verifying

407 views • 30 slides
Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl

Kerberos Nicolas Gren` eche Centre de Ressources Informatique (CRI) - Universit e dOrl eans Projet SDS - LIFO et ENSI de Bourges nicolas.greneche@univ-orleans.fr 11/07/2011 Sommaire Pourquoi Kerberos ? 1 Les acteurs 2 Le

497 views • 22 slides
Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman

Development of techniques to remove Kerberos credentials from Windows Systems. Nick Offerman Steffan Roobol 04-07-2019 Introduction Figure 1: Kerberos Protocol 2 Problem Figure 1: the LSASS process and Mimikatz. 3 Research Questions

520 views • 27 slides
Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato,

Specifying Kerberos 5 Cross-Realm Authentication Chris Walstad Joint work with Iliano Cervesato, Aaron D. Jaggard, Andre Scedrov Supported by ONR, NSF, NRL Overview Introduction Kerberos 5 Formalization Properties

454 views • 24 slides
Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles

Kerberos Working Group UTF-8 Stringprep Profile UTF-8 Stringprep Profile Goals and Principles Applicability - Kerberos strings Character Repertoire - Unicode 3.1 Unassigned Code Points - From Unicode 3.1 Mappings Normalization Prohibited

906 views • 7 slides
Richard W. Barnes, Chair BPV III W. Ken Sowder, Chair SG Fusion Facilities Background for Richard

Richard W. Barnes, Chair BPV III W. Ken Sowder, Chair SG Fusion Facilities Background for Richard

Richard W. Barnes, Chair BPV III W. Ken Sowder, Chair SG Fusion Facilities Background for Richard Barnes Chair of Section III Construction Of Components for Nuclear Facilities which is a Section of the ASME Boiler and Pressure Vessel

541 views • 32 slides
July 2016 through May 2017 Ken-Ton Fam ily Support Center Update Family Support Center

July 2016 through May 2017 Ken-Ton Fam ily Support Center Update Family Support Center

July 2016 through May 2017 Ken-Ton Fam ily Support Center Update Family Support Center Services were requested for 806 Fam ilies so far this school year Projected Total = 821 9 9 6 S T U D E N T S / 10 0 E M P L O Y E E S R E C E I V E D

361 views • 11 slides
Merck Investor Day FORWARD-LOOKING STATEMENT OF MERCK & Co., Inc., Kenilworth, N.J., USA

Merck Investor Day FORWARD-LOOKING STATEMENT OF MERCK & Co., Inc., Kenilworth, N.J., USA

Merck Investor Day FORWARD-LOOKING STATEMENT OF MERCK & Co., Inc., Kenilworth, N.J., USA These presentations from Merck & Co., Inc., Kenilworth, N.J., USA (the company) include forward- looking statements within the meaning

141 views • 3 slides
The Great Proton Search Continues Kenneth A. LaBel ken.label@nasa.gov Co-Manager, NASA/OSMA,

The Great Proton Search Continues Kenneth A. LaBel ken.label@nasa.gov Co-Manager, NASA/OSMA,

The Great Proton Search Continues Kenneth A. LaBel ken.label@nasa.gov Co-Manager, NASA/OSMA, NASA Electronic Parts and Packaging (NEPP) Program Ad hoc proton team formed by NASA OSMA/NEPP along with Air Force Space and Missiles Center

295 views • 18 slides
Comment on Ken Arrow: The social determination of behavior Karla Hoff The standard model assumes

Comment on Ken Arrow: The social determination of behavior Karla Hoff The standard model assumes

Comment on Ken Arrow: The social determination of behavior Karla Hoff The standard model assumes a rational actor Stable & autonomous preferences Market Autonomous people Under some conditions: Perfect competition No missing

403 views • 26 slides
Short presentation by Ken Carter at the Government/ Business/Charitable/Philanthropic meeting at

Short presentation by Ken Carter at the Government/ Business/Charitable/Philanthropic meeting at

Short presentation by Ken Carter at the Government/ Business/Charitable/Philanthropic meeting at Bay House, Cattlewash, Barbados on Wednesday 18 th April 2018, covering his Educational Technology Enterprises and the proposed

238 views • 5 slides
P ARTICIP ATION IN E XIS TING K EN -C AR YL R ANCH F ACILITIES , AMENITIES , AND S ERVICES O

P ARTICIP ATION IN E XIS TING K EN -C AR YL R ANCH F ACILITIES , AMENITIES , AND S ERVICES O

K EN -C AR YL R ANCH 2017 C OMMUNITY S URVEY S VEY R ES ULTS AND K EY FINDINGS UR R ES E R ATES PONS 2,550 households mailed a postcard invitation to complete the survey online 1,850 households on the KCR email list emailed an

812 views • 49 slides
Presentation for 2012 Equal Justice Conference; Ken Smith, Ken@GreatPrograms.org Page 2 Two M o

Presentation for 2012 Equal Justice Conference; Ken Smith, Ken@GreatPrograms.org Page 2 Two M o

A Presentation for the 2012 Equal Justice Conference by Ken Smith Ken Smith and Kelly Thayer Kelly Thayer The Resource for Great Programs, Inc. The Resour Thursday, May 17, 2012 Thursday, May 17, 2012 Jacksonville, FL Purpose

247 views • 13 slides

More recommend