View
214
Download
0
Category
Tags:
Preview:
Citation preview
Why Kerberos?Presented by Beth Lynn Eicher
CPLUG Security Conference
March 5, 2005
Released Under The Creative Commons Attribution-
NonCommercial-ShareAlike License.
Some Rights Reserved
Kerberos IS...
The mythical character
A Network Authentication Protocol
● MIT took an idea from Xerox: “The Needham-
Schroeder Protocol”●Centralized, single sign-on, encrypted logins
Kerberos is everywhere•Required for OpenAFS•With Heimdal (from Sweden) you
can use Kerberos anywhere•Becoming a built-in option
• Microsoft Active Directory• LDAP• Fedora Core (PAM)
Yes, you can use telnet again
If you “kerberize” your service, you can use
services that otherwise pass your passwords in the
clear.
Allows many methods of
authentication...
Something that you know
Your password
Something that you have...
Your Securid
Something that you are...
Bio-authentication
Since there are multiple ways of
authenticating...
Let's just call it secret
Provides the 3 A's
● Authentication – verifying secrets●Authorization – control access
●Auditing – logging
NOT to be confused with...
Fluffy from Harry Potter
A directory service
● Kerberos doesn't know
your full name, your
favorite shell, or your
home address
● Use LDAP or NIS(+)
WITH Kerberos
Kerberos does encrypt your
password....● But if you are using what you assume to be
Kerberos may not be if your your system has
been exploited!
● Be aware of trojans and key stroke logging
My principal's service instances
● bethlynn.mail@CS.CMU.EDU
● bethlynn.ftp@CS.CMU.EDU
● bethlynn.remote@CS.CMU.EDU
My 's administrative instances
● bethlynn.admin@CS.CMU.EDU
● bethlynn.admin-afs@CS.CMU.EDU
● bethlynn.root@CS.CMU.EDU
Single Sign-On
1) I login to my desktop
2) After that initial login I'm given a ticket
3) I can ssh/telnet to other machines on the network
without typing a password again!
My password is not cached or resent.
My ticket allows me to request more tickets.
When I want to be root
● I authenticate with my
bethlynn.root@CS.CMU.EDU password
● Now I have full root privileges on the local host
● I can also use this ticket to ssh/telnet to other
machines to also be root on them too
What I didn't tell you
● How Kerberos works.
● MIT vs Heimdal
● Who is Cerberus?
● How to configure Kerbeors
● How OpenAFS uses Kerberos
O'Reilly to the Rescue
● “Kerberos The
Definitive Guide” by
Jason Garman
● The Owl book
● $34.95
Thanks!
Recommended