1 / 31

Cross-Cell Authentication Using Configurable Authentication Paths

Cross-Cell Authentication Using Configurable Authentication Paths. Douglas E. Engert DEEngert@anl.gov Argonne National Laboratory 11/05/96. Introduction. What is Cross-Cell Authentication? How Kerberos and DCE implement it What’s wrong with this? Configurable Authentication Paths

aman
Download Presentation

Cross-Cell Authentication Using Configurable Authentication Paths

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Cross-Cell Authentication Using Configurable Authentication Paths Douglas E. Engert DEEngert@anl.gov Argonne National Laboratory 11/05/96

  2. Introduction • What is Cross-Cell Authentication? • How Kerberos and DCE implement it • What’s wrong with this? • Configurable Authentication Paths • Results of testing • Futures

  3. Definitions • Cell Vs Realm • Security Server Vs KDC • /.../cellname/user Vs user@realm • principal and account Vs principal

  4. Cross-Cell Authentication • A user in one cell can authenticate to a service in another cell • Feature of Kerberos • Version 4 - Direct cell to cell • Version 5 - Allows intermediate cell • Requires cell_admins to setup shared keys

  5. Kerberos Basics Key Distribution Center KDC or DCE Security Server Server Client APPLD kinit APPL User Cache

  6. Cross Cell AuthenticationShared Keys Client’s KDC KDC 1 KDC 2 Server’s KDC User Server

  7. Cross Cell Authentication Client’s KDC KDC 1 KDC 2 Server’s KDC Server Client APPLD kinit APPL User Cache

  8. Hierarchical Organization of Cells • “Realms are typically organized hierarchically” • RFC 1510 Section 1.1 • Kerberos 5 use DNS style • DCE uses cell aliases • They don’t interoperate

  9. Kerberos 5 Hierarchy • Right to left separator is “.” • A.B.C • B.C • C • Z.C • Y.Z.C

  10. DCE Hierarchy • Left to Right separator is “/” • /c/b/a • /c/b • /c • /c/z • /c/z/y • Requires user to specify the hierarchy • Transitive Trust

  11. What's wrong with this? • The world is not hierarchical • How does ANL.GOV authenticate to WIDGET.COM • Who runs GOV, COM, EDU, ORG cells? • Can’t belong to more then one hierarchy • DCE and K5 do not interoperate • Hierarchy is tied to the realm name

  12. Cross Cell

  13. Cross Cell

  14. Cross Cell

  15. Cross Cell

  16. Configurable Authentication Paths • “Realms are typically organized hierarchically.... If a hierarchical organization is not used, it may be necessary to consult some database in order to construct an authentication path between realms.” • RFC1510 Section 1.1 • So use a database!

  17. Configurable Authentication Paths • lib/krb5/krb/walk_rtree.c • Return the authentication path based on client and server realms • Used by client to find authentication path • Used by server to check transited field • Has been incorporated in MIT Kerberos 5 beta 6 and beta 7 • krb5.conf • New section [capaths]

  18. Why Check the Transited Field ? Client: abc Server: ghi Transited field: def Bogus client: abc Server:ghi Transited Field: xyz,jkl,def DCE 1.0.3 did not check! def jkl abc ghi abc xyz

  19. Testing CAPATH in DCE • Modified DCE 1.1 walk_rtree.c • Kept simple to show proof of concept • walk_rtree.c is in shared libdce • capath.conf • equivalent to krb5.conf [capaths] information

  20. capath.conf • client-cell server-cell intermediates dce.anl.gov dce.es.net .dce.anl.gov dce.pnl.gov dce.es.netdce.es.net dce.anl.gov .dce.pnl.gov dce.anl.gov dce.es.netdce.es.net dce.pnl.gov .dce.pnl.gov dce.es.net . • n*(n-1) number of records • Each cell need 2*(n-1) records

  21. Testing CAPATH in DCE • Need modified libdce.so on server and security server • Need modified libdce.so on client • AIX 4.1.4 - relinked libdce.a • Solaris 2.5 - setenv LD_PRELOAD • HP - Have not figured out a way yet

  22. Cross Cell Authentication dce.anl.gov HP dce.pnl.gov Transarc dce.es.net Transarc secd secd secd libdce.so AIX klogind rlogin dce_login User Cache

  23. Cache • pembroke% /krb5/bin/rlogin moonbeam.pnl.gov -x -l engert • This rlogin session is using DES encryption for all data transmissions. • Last login: Thu Oct 24 17:01:49 from pembroke.ctd.anl • Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 • moonbeam.pnl.gov% exit • moonbeam.pnl.gov% logout • Connection closed. • pembroke% /krb5/bin/klist • Ticket cache: /opt/dcelocal/var/security/creds/dcecred_626fb170 • Default principal: b17783@dce.anl.gov • Valid starting Expires Service principal • 25 Oct 96 09:03:01 25 Oct 96 19:03:01 krbtgt/dce.anl.gov@dce.anl.gov • 25 Oct 96 09:03:17 25 Oct 96 19:03:01 afsx/anl.gov@dce.anl.gov • 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/dce.es.net@dce.anl.gov • 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/dce.pnl.gov@dce.es.net • 25 Oct 96 09:10:31 25 Oct 96 19:03:01 host/moonbeam.pnl.gov@dce.pnl.gov

  24. libdce.so libdce.so libdce.so Cross Cell Authentication dce.anl.gov HP dce.pnl.gov Transarc dce.es.net Transarc secd secd secd AIX rgy_edit dce_login RPC User Cache

  25. Cache • Klist output • Default principal: b17783@dce.anl.gov • Server: krbtgt/dce.anl.gov@dce.anl.gov • Client: dce-ptgt@dce.anl.gov Server: krbtgt/dce.anl.gov@dce.anl.gov • Client: dce-ptgt@dce.anl.gov Server: dce-rgy@dce.anl.gov • Server: krbtgt/dce.es.net@dce.anl.gov • Server: krbtgt/dce.pnl.gov@dce.es.net • Server: dce-ptgt@dce.pnl.gov • Client: dce-ptgt@dce.anl.gov Server: krbtgt/dce.es.net@dce.anl.gov • Client: dce-ptgt@dce.anl.gov Server: krbtgt/dce.pnl.gov@dce.es.net • Client: dce-ptgt@dce.anl.gov Server: dce-ptgt@dce.pnl.gov

  26. libdce.so libdce.so libdce.so Cross Cell Authentication dce.anl.gov HP dce.pnl.gov Transarc dce.es.net Transarc secd secd secd AIX DFS dce_login DFS User Cache

  27. Compatibility • Defaults to previous method if: • capath.conf not found • client-server record not found • Works with MIT Kerberos

  28. Futures • Request OSF and HP incorporate the modification • Replace capath.conf file • Store in registry • Locally cached by dced • Public key for cross-cell • capath.conf then becomes list of trusted CAs

  29. ESnet Pilot Project • Final Report and Recommendations of the ESnet Authentication Pilot Project • G. R. Johnson PNL • C. L. Athey LLNL • D. E. Engert ANL • J. P. Moore PNL • J. E. Ramus NERSC • http://www.es.net/pub/esnet-doc/auth-and-security/auth-pilot-report.ps

  30. The End

  31. Cross-Cell Authentication Using Configurable Authentication Paths Douglas E. Engert DEEngert@anl.gov Argonne National Laboratory 10/31/96

More Related