Docstoc

Cross Cell Authentication unng Configurable Authentication Paths

Document Sample
Cross Cell Authentication unng Configurable Authentication Paths Powered By Docstoc
					 Cross-Cell Authentication Using
Configurable Authentication Paths

          Douglas E. Engert
          DEEngert@anl.gov
        Argonne National Laboratory
                 11/05/96


                                      1
                         Introduction

 What is Cross-Cell Authentication?
 How Kerberos and DCE implement it
 What’s wrong with this?
 Configurable Authentication Paths
 Results of testing
 Futures



                                        2
                            Definitions

 Cell Vs Realm
 Security Server Vs KDC
 /.../cellname/user Vs user@realm
 principal and account Vs principal




                                          3
          Cross-Cell Authentication

 A user in one cell can authenticate to a
  service in another cell
 Feature of Kerberos
    Version 4 - Direct cell to cell
    Version 5 - Allows intermediate cell
   Requires cell_admins to setup shared keys


                                                4
                     Kerberos Basics
 Key Distribution Center KDC or DCE Security Server




           Client                           Server


   kinit              APPL                  APPLD



User         Cache
      Cross Cell Authentication
            Shared Keys
Client’s KDC   KDC 1   KDC 2   Server’s KDC




  User                             Server
       Cross Cell Authentication
 Client’s KDC        KDC 1   KDC 2   Server’s KDC




           Client                    Server


   kinit             APPL            APPLD



User         Cache
Hierarchical Organization of Cells

    “Realms are typically organized
     hierarchically”
     RFC 1510 Section 1.1
  Kerberos 5 use DNS style
  DCE uses cell aliases
  They don’t interoperate




                                       8
                  Kerberos 5 Hierarchy

   Right to left separator is “.”
    A.B.C
    B.C
    C
    Z.C
    Y.Z.C



                                         9
                          DCE Hierarchy
   Left to Right separator is “/”
    /c/b/a
    /c/b
    /c
    /c/z
    /c/z/y
 Requires user to specify the hierarchy
 Transitive Trust

                                           10
           What's wrong with this?

 The world is not hierarchical
 How does ANL.GOV authenticate to
  WIDGET.COM
    Who runs GOV, COM, EDU, ORG cells?
 Can’t belong to more then one hierarchy
 DCE and K5 do not interoperate
 Hierarchy is tied to the realm name


                                            11
Cross Cell
Cross Cell
Cross Cell
Cross Cell
Configurable Authentication Paths

     “Realms are typically organized
      hierarchically.... If a hierarchical
      organization is not used, it may be
      necessary to consult some database in order
      to construct an authentication path between
      realms.”
      RFC1510 Section 1.1
     So use a database!
                                                    16
Configurable Authentication Paths
     lib/krb5/krb/walk_rtree.c
      Return the authentication path based on client
       and server realms
      Used by client to find authentication path
      Used by server to check transited field
   Has been incorporated in MIT Kerberos 5
    beta 6 and beta 7
   krb5.conf
      New section [capaths]
                                                        17
   Why Check the Transited Field ?
Client: abc           Server: ghi             Transited field: def

Bogus client: abc         Server:ghi         Transited Field: xyz,jkl,def

DCE 1.0.3 did not check!


                                                       def
                    jkl


                                       abc

                           xyz                       abc        ghi
          Testing CAPATH in DCE

 Modified DCE 1.1 walk_rtree.c
 Kept simple to show proof of concept
 walk_rtree.c is in shared libdce
 capath.conf
    equivalent to krb5.conf [capaths] information




                                                     19
                                  capath.conf
   client-cell server-cell intermediates
    dce.anl.gov dce.es.net    .
    dce.anl.gov dce.pnl.gov   dce.es.net

    dce.es.net dce.anl.gov    .
    dce.pnl.gov dce.anl.gov   dce.es.net

    dce.es.net dce.pnl.gov    .
    dce.pnl.gov dce.es.net    .

 n*(n-1) number of records
 Each cell need 2*(n-1) records

                                                20
        Testing CAPATH in DCE

 Need modified libdce.so on server and
  security server
 Need modified libdce.so on client
 AIX 4.1.4 - relinked libdce.a
 Solaris 2.5 - setenv LD_PRELOAD
 HP - Have not figured out a way yet



                                          21
         Cross Cell Authentication
  dce.anl.gov               dce.es.net   dce.pnl.gov
  HP                        Transarc     Transarc

       secd                     secd         secd

                                              libdce.so




                AIX

   dce_login           rlogin            klogind



User           Cache
                                                                            Cache
   pembroke% /krb5/bin/rlogin moonbeam.pnl.gov -x -l engert
   This rlogin session is using DES encryption for all data transmissions.
   Last login: Thu Oct 24 17:01:49 from pembroke.ctd.anl
   Sun Microsystems Inc.    SunOS 5.5.1    Generic May 1996
   moonbeam.pnl.gov% exit
   moonbeam.pnl.gov% logout
   Connection closed.
   pembroke% /krb5/bin/klist
   Ticket cache: /opt/dcelocal/var/security/creds/dcecred_626fb170
   Default principal: b17783@dce.anl.gov

   Valid starting       Expires                Service principal
   25 Oct 96 09:03:01   25 Oct 96   19:03:01   krbtgt/dce.anl.gov@dce.anl.gov
   25 Oct 96 09:03:17   25 Oct 96   19:03:01   afsx/anl.gov@dce.anl.gov
   25 Oct 96 09:10:28   25 Oct 96   19:03:01   krbtgt/dce.es.net@dce.anl.gov
   25 Oct 96 09:10:28   25 Oct 96   19:03:01   krbtgt/dce.pnl.gov@dce.es.net
   25 Oct 96 09:10:31   25 Oct 96   19:03:01   host/moonbeam.pnl.gov@dce.pnl.gov




                                                                                    23
         Cross Cell Authentication
  dce.anl.gov               dce.es.net   dce.pnl.gov
  HP                        Transarc     Transarc

       secd                      secd       secd

                                               libdce.so




               AIX

  dce_login           rgy_edit           RPC

                            libdce.so      libdce.so
User          Cache
                                                                 Cache
   Klist output
   Default principal: b17783@dce.anl.gov
   Server: krbtgt/dce.anl.gov@dce.anl.gov
   Client: dce-ptgt@dce.anl.gov   Server:   krbtgt/dce.anl.gov@dce.anl.gov
   Client: dce-ptgt@dce.anl.gov   Server:   dce-rgy@dce.anl.gov
   Server: krbtgt/dce.es.net@dce.anl.gov
   Server: krbtgt/dce.pnl.gov@dce.es.net
   Server: dce-ptgt@dce.pnl.gov
   Client: dce-ptgt@dce.anl.gov   Server:   krbtgt/dce.es.net@dce.anl.gov
   Client: dce-ptgt@dce.anl.gov   Server:   krbtgt/dce.pnl.gov@dce.es.net
   Client: dce-ptgt@dce.anl.gov   Server:   dce-ptgt@dce.pnl.gov




                                                                              25
         Cross Cell Authentication
  dce.anl.gov               dce.es.net   dce.pnl.gov
  HP                        Transarc     Transarc

       secd                    secd         secd

                                               libdce.so




               AIX

  dce_login           DFS                DFS

                        libdce.so          libdce.so
User          Cache
                            Compatibility

   Defaults to previous method if:
    capath.conf not found
    client-server record not found
   Works with MIT Kerberos




                                            27
                                 Futures

 Request OSF and HP incorporate the
  modification
 Replace capath.conf file
    Store in registry
    Locally cached by dced
 Public key for cross-cell
 capath.conf then becomes list of trusted CAs


                                             28
                     ESnet Pilot Project

   Final Report and Recommendations of the
    ESnet Authentication Pilot Project
    G. R. Johnson            PNL
    C. L. Athey        LLNL
    D. E. Engert       ANL
    J. P. Moore        PNL
    J. E. Ramus        NERSC
   http://www.es.net/pub/esnet-doc/
    auth-and-security/auth-pilot-report.ps    29
The End


          30
 Cross-Cell Authentication Using
Configurable Authentication Paths

          Douglas E. Engert
          DEEngert@anl.gov
        Argonne National Laboratory
                 10/31/96


                                      31

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:1
posted:10/22/2011
language:English
pages:31