1 / 20

Cross cell AFS authentication using Kerberos 5

Cross cell AFS authentication using Kerberos 5. HEPiX-HEPNT Vancouver, October 21 st 2003 Enrico M.V. Fasanelli. Agenda. Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future.

kaylee
Download Presentation

Cross cell AFS authentication using Kerberos 5

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21st 2003 Enrico M.V. Fasanelli

  2. Agenda • Why? • Theory and practice on • Kerberos5 cross realm transitive hierarchical authentication • AFS cross cell authentication • K5 @ INFN.IT • Last minute tests • Future Enrico.M.V.Fasanelli@le.infn.it

  3. Once upon a time… • Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) • A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” • DCE/DFS “new” features • Per file ACL • Transitive hierarchical cross cell authentication • INFN DCE/DFS WG (born in 09/96)  Not usable (see Gomezel @ HTASC # 7) Enrico.M.V.Fasanelli@le.infn.it

  4. …in the meantime… • Transarc modifies the support policy for AFS • Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US • The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project. Enrico.M.V.Fasanelli@le.infn.it

  5. …and now • Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. • New AFS cell roma1.infn.it is ready to start in production • AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs Enrico.M.V.Fasanelli@le.infn.it

  6. The “needs” of MIT Kerberos 5 • The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell  we need AFS cross cell authentication • Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA-2003-004 (March 17th).  we need Kerberos5 • OpenAFS is moving toward Kerberos5 • rxkad2d protocol • MIT Kerberos5 provides support for AFS authentication • fakeka is now included in Kerberos5 1.3 distribution • Windows 2000/XP works with MIT KDCs Enrico.M.V.Fasanelli@le.infn.it

  7. Agenda • Why? • Theory and practice on • Kerberos5 cross realm transitive hierarchical authentication • AFS cross cell authentication • K5 @ INFN.IT • Last minute tests • Future Enrico.M.V.Fasanelli@le.infn.it

  8. K5 cross realm trust relationships • Any principal in one REALM is authenticated against any other principal in the other realm • resource access (and then sharing) is “transparent” REALM A krbtgt/REALM.B@REALM.A krbtgt/REALM.B@REALM.A REALM B Enrico.M.V.Fasanelli@le.infn.it

  9. ~/.k5login user@REALM.A K5 cross realm trust relationships REALM A REALM.B telnet –a server.realm.B principal user@REALM.A Enrico.M.V.Fasanelli@le.infn.it

  10. K5 cross realm transitive trust relationships • Trust relationship IS transitive • Hierarchical (set-up by default in an automatic way within the same domain) • Via [CAPATH] Kerberos5 configuration Enrico.M.V.Fasanelli@le.infn.it

  11. AFS cross cell authentication • First define the appropriate PTS entries in each cell • Use kinit to obtain your Kerberos5 TGT • aklog • obtain the AFS token using the K5 TGT • aklog <externalcell> • create entry in the PTS database of externalcell (if not already) • obtain an AFS tokens belonging to externalcell AFS cell cell.A system:authuser@cell.B user@cell.A AFS id 4 for afs@cell.B AFS id 4 for afs@cell.A user@cell.B system:authuser@cell.A AFS cell cell.B Enrico.M.V.Fasanelli@le.infn.it

  12. Practice • Preliminary tests in April 2003 • RedHat 7.3/8.0 • MIT Kerberos5 1.2.7 • OpenAFS 1.2.8 • Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it • Defined bi-directional trusts between Top Level REALM and any other below Enrico.M.V.Fasanelli@le.infn.it

  13. It works ! krb5test.infn.it LE.krb5test.infn.it PI.krb5test.infn.it LNF.krb5test.infn.it CNAF.krb5test.infn.it Enrico.M.V.Fasanelli@le.infn.it

  14. Agenda • Why? • Theory and practice on • Kerberos5 cross realm transitive hierarchical authentication • AFS cross cell authentication • K5 @ INFN.IT • Last minute tests • Future Enrico.M.V.Fasanelli@le.infn.it

  15. K5 @ INFN.IT • Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication • 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) • Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) • Will start soon (we are buying the HW) Enrico.M.V.Fasanelli@le.infn.it

  16. Agenda • Why? • Theory and practice on • Kerberos5 cross realm transitive hierarchical authentication • AFS cross cell authentication • K5 @ INFN.IT • Last minute tests • Future Enrico.M.V.Fasanelli@le.infn.it

  17. Last minute tests: environment • Started last week (after the OK of CCR) • Kerberos5 1.3.1 (available since July 31st 2003)  Includes fakeka  krb524 library missing (library functions available in libkrb5 now) • OpenAFS 1.2.10 available since August 5th 2003  Includes kerberos5-related executables (aklog) • Linked against 1.2.7 kerberos libraries • Configuration hacking for pointing to new Kerberos5 library layout • RedHat 9  krb5-1.3.1 src.rpm available on the rawhide and is “tuned” on the RH9 Enrico.M.V.Fasanelli@le.infn.it

  18. Last minute tests: results • At today 7:00 PM GMT+1 (10:00 AM local time) • Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT • LE and CNAF Kerberos REALMs are cross authenticated against the parent • AFS cross cell authentication between LE and CNAF cells established • Everything seems work well (even better than previous version) Enrico.M.V.Fasanelli@le.infn.it

  19. Agenda • Why? • Theory and practice on • Kerberos5 cross realm transitive hierarchical authentication • AFS cross cell authentication • K5 @ INFN.IT • Last minute tests • Future Enrico.M.V.Fasanelli@le.infn.it

  20. Future • INFN will have his INFN.IT Kerberos5 REALM spread on WAN • Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells • In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ? Enrico.M.V.Fasanelli@le.infn.it

More Related