Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under...

Why Kerberos?Presented by Beth Lynn Eicher

CPLUG Security Conference

March 5, 2005

Released Under The Creative Commons Attribution-

NonCommercial-ShareAlike License.

Some Rights Reserved

Kerberos IS...

The mythical character

A Network Authentication Protocol

● MIT took an idea from Xerox: “The Needham-

Schroeder Protocol”●Centralized, single sign-on, encrypted logins

Kerberos is everywhere•Required for OpenAFS•With Heimdal (from Sweden) you

can use Kerberos anywhere•Becoming a built-in option

• Microsoft Active Directory• LDAP• Fedora Core (PAM)

Yes, you can use telnet again

If you “kerberize” your service, you can use

services that otherwise pass your passwords in the

clear.

Allows many methods of

authentication...

Something that you know

Your password

Something that you have...

Your Securid

Something that you are...

Bio-authentication

Since there are multiple ways of

authenticating...

Let's just call it secret

Provides the 3 A's

● Authentication – verifying secrets●Authorization – control access

●Auditing – logging

NOT to be confused with...

Fluffy from Harry Potter

A directory service

● Kerberos doesn't know

your full name, your

favorite shell, or your

home address

● Use LDAP or NIS(+)

WITH Kerberos

Kerberos does encrypt your

password....● But if you are using what you assume to be

Kerberos may not be if your your system has

been exploited!

● Be aware of trojans and key stroke logging

My principal

bethlynn@CS.CMU.EDU

My principal's service instances

● bethlynn.mail@CS.CMU.EDU

● bethlynn.ftp@CS.CMU.EDU

● bethlynn.remote@CS.CMU.EDU

My 's administrative instances

● bethlynn.admin@CS.CMU.EDU

● bethlynn.admin-afs@CS.CMU.EDU

● bethlynn.root@CS.CMU.EDU

Single Sign-On

1) I login to my desktop

2) After that initial login I'm given a ticket

3) I can ssh/telnet to other machines on the network

without typing a password again!

My password is not cached or resent.

My ticket allows me to request more tickets.

When I want to be root

● I authenticate with my

bethlynn.root@CS.CMU.EDU password

● Now I have full root privileges on the local host

● I can also use this ticket to ssh/telnet to other

machines to also be root on them too

What I didn't tell you

● How Kerberos works.

● MIT vs Heimdal

● Who is Cerberus?

● How to configure Kerbeors

● How OpenAFS uses Kerberos

O'Reilly to the Rescue

● “Kerberos The

Definitive Guide” by

Jason Garman

● The Owl book

● $34.95

Thanks!