kerberos and single sign on with http
play

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software - PowerPoint PPT Presentation

Mar 31, 2023 •210 likes •481 views

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor

  1. Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat

  2. Overview • Introduction • The Problem • Current Solutions • Future Solutions • Conclusion

  3. Introduction • WebDAV: common complaint of poor support for authentication in HTTP • Kerberos is “The” network authentication protocol

  4. The Problem • How to integrate HTTP servers into a Kerberos infrastructure? • Single Sign-On: reducing the number of times people enter passwords • Ideal: user authentication exactly once per “session”; not per-server and/or per-service

  5. The Problem: Scope • Covering intranet/enterprise/organisation- wide HTTP authentication • Out of scope: SSO for “The Web” • In scope? Proxy authentication

  6. GSSAPI vs HTTP • GSSAPI: protocol-agnostic token-based API • Authentication, optional integrity and/or confidentiality – but not really optional • Confidentiality/integrity = transport layer • In HTTP, authentication is independent from the transport layer

  7. Current Solutions • Stanford WebAuth: forms and cookies • HTTP “Basic” authentication • HTTP “Negotiate” authentication

  8. Stanford WebAuth • Cookie-based authentication • Token-passing via browser redirects between web server and “WebKDC” • Kerberos credentials passed to WebKDC via HTML form • WebKDC passes token back to web server

  9. Stanford WebAuth • “Application layer” solution • Cookies + HTML != HTTP authentication • Requires SSL when passing credentials • Requires a real web browser: won't work with generic WebDAV clients • Requires a special server to be WebKDC

  10. Stanford WebAuth • Training users to enter Kerberos credentials into web forms is Very Bad ™ - phishing • Cannot authenticate to proxies • Session termination? Flush cookies • Session scope: within one web browser but then covers all servers

  11. Kerberos via Basic Auth • Use standard HTTP Basic authentication • Send Kerberos credentials as Basic auth credentials • Web server authenticates as user directly to KDC • Works with any generic HTTP client

  12. Kerberos via Basic Auth GET /secret/ HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=”Blah” GET /secret/ HTTP/1.1 Authorization: Basic QWxuIHNlc2FZQ== HTTP/1.1 200 OK

  13. Kerberos via Basic Auth • Requires SSL when passing credentials • Training users to enter credentials into HTTP authentication dialogs is also Very Bad ™ • Can authenticate to proxies • Session scope: one web browser, one server • Session termination: flush cached credentials

  14. The “Negotiate” Scheme • New HTTP authentication scheme (kind of) • Written by Microsoft; I-D published 2001 • Became “Informational” RFC 4559 in 2006 • Uses GSSAPI with “SPNEGO” for NTLM • Implemented as HTTP client extension, custom server module

  15. Negotiate: Protocol trace 1. GET /secret/ HTTP/1.1 2. HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate [token] 3. GET /secret/ HTTP/1.1 Authorization: Negotiate Y.....Q== [goto 2, or...] HTTP/1.1 200 OK

  16. The “Negotiate” scheme • Supported at HTTP client level; works with WebDAV etc • Implemented by Firefox, MSIE • Requires SSL to secure the connection • Could almost work with proxies

  17. The “Negotiate” Scheme • Even the name is bad • Per-connection authentication! • Breaks RFC2617 challenge grammar • Abuses RFC2617 headers

  18. mod_auth_kerb • Module for Apache httpd 1.3/2.x • Maintained by Daniel Kouril, BSDy license • Version 5.0 released August 2006, first non- beta release • Supports both Negotiate and Kerberos-over- Basic authentication

  19. mod_auth_kerb Configuration • Obtain a service key from the KDC • Name, for example: HTTP/www.example.com@EXAMPLE.COM • Service key in keytab – check permissions! • Load module and add access control configuration, either httpd.conf or .htaccess

  20. Access control Configuration <Location /private> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off ...

  21. Access control continued KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user SSLRequireSSL </Location>

  22. Client configuration • Firefox: • MSIE should work within “Intranet zone”

  23. Conclusion • Strong authentication as an HTTP authentication scheme alone is not enough • “Negotiate” is a practical if flawed solution for Kerberos Single Sign-On with HTTP • But MUST be used over SSL

  24. Future Solutions • RFC2712: TLS with Kerberos ciphersuites • Implemented in OpenSSL; no deployment • A “GSSAPI Transport Layer” for HTTP? • Implement via Upgrade: header (RFC2817)

  25. Resources • http://webauth.stanford.edu/ • http://modauthkerb.sourceforge.net/ • http://www.ietf.org/rfc/rfc4559.txt • http://www.ietf.org/rfc/rfc2712.txt • These slides: http://people.apache.org/~jorton/ac06us/

  26. Q&A Any questions?

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication in

917 views • 34 slides
Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction Sophisticated network authentication system holy grail of sys &amp; net admins: secure single sign on Used by large organizations and academic

515 views • 38 slides
Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application, Horde K.U.Leuven Association velpi@groupt.be http://shib.kuleuven.be Integration of N-tiers application http://associatie.kuleuven.be/

911 views • 58 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos &amp; X.509 11

Kerberos &amp; X.509 11

Kerberos &amp; X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding Principles Use Unicode restricted as needed to provide interoperability and future extensibility A single set of string preparation rules for all

173 views • 14 slides
Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop April 2004 April 2004 CERN Outline Outline Motivation and

352 views • 23 slides
Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account

Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account

Lets Authenticate Automated Cryptographic Authentication for the Web with Simple Account Recovery James Conners Daniel Zappala Brigham Young University Our focus easy registration/login easy account recovery privacy by design What about

737 views • 45 slides
Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann &lt;cabo@tzi.de&gt;

Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann &lt;cabo@tzi.de&gt;

An introduction to Network Access Security Torino, IT March 4 th , 2005 Carsten Bormann &lt;cabo@tzi.de&gt; Overview Network Access Security: Traditions WLAN Security WLAN Roaming 2 Overview Network Access Security:

782 views • 20 slides
How does TLS know this is really the Google web site? Google Authenticating the Server web

How does TLS know this is really the Google web site? Google Authenticating the Server web

How does TLS know this is really the Google web site? Google Authenticating the Server web site ? Public Key Private Key 1. Did we reach the intended web server? 2. Did we receive the servers public key? https://www.google.com Google

423 views • 16 slides
Securing Internet Communication: TLS CS 161: Computer Security Prof. Vern Paxson TAs: Paul

Securing Internet Communication: TLS CS 161: Computer Security Prof. Vern Paxson TAs: Paul

Securing Internet Communication: TLS CS 161: Computer Security Prof. Vern Paxson TAs: Paul Bramsen, Apoorva Dornadula, David Fifield, Mia Gil Epner, David Hahn, Warren He, Grant Ho, Frank Li, Nathan Malkin, Mitar Milutinovic, Rishabh Poddar,

873 views • 56 slides
1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

1 Password-Based Authentication Node A has a secret ( password ): e.g., lisa To

Authentication Protocols Guevara Noubir College of Computer and Information Science Northeastern University noubir@ccs.neu.edu Outline Overview of Authentication Systems [Chapter 9] Authentication of People [Chapter 10]

396 views • 17 slides
Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security

Lecture 4 - Authorization CMPSC 443 - Spring 2012 Introduction Computer and Network Security Professor Jaeger www.cse.psu.edu/~tjaeger/cse443-s12/ CMPSC 443 Introduction to Computer and Network Security - Spring 2012 - Professor Jaeger Why

1.06k views • 22 slides
Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106,

Pushed Authorization Requests https://tools.ietf.org/html/draft-lodderstedt-oauth-par IETF-106, 21.11.2019, Singapore Brian Campbell, Nat Sakimura, Dave Tonge, Filip Skokan, Torsten Lodderstedt { &quot;userinfo&quot;:{

340 views • 16 slides
CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD,

National Center for Immunization &amp; Respiratory Diseases CDC post-authorization/post-licensure safety monitoring of COVID-19 vaccines Tom Shimabukuro, MD, MPH, MBA CDC COVID-19 Vaccine Task Force Vaccine Safety Team October 30, 2020

509 views • 31 slides

More recommend