6/14/2001 Liz Buckley-Geer - Ely Meeting 1

Strong Authentication and what it means for MINOS

Liz Buckley-Geer

Fermilab

6/14/2001 Liz Buckley-Geer - Ely Meeting 2

Outline Introduction Why are we doing this? Are there benefits? The authentication model How does strong authentication work? What does it mean for you? Deployment at FNAL Schedule for MINOS1 CVS repository Linux machines Windows machines Macintoshes Detector issues Summary

6/14/2001 Liz Buckley-Geer - Ely Meeting 3

Introduction

The information in these slides applies to access to the computers at FNAL and at the Soudan Mine because we have decided to operate the LAN at Soudan as part of the FNAL LAN - so everywhere I mention FNAL you should take it to include Soudan unless explicity stated otherwise

There is a web page that contains much of what I am about to sayhttp://www.fnal.gov/docs/strongauth/

Written copies of the manual are available from WH8E in the office of Yolanda Valadez (the person who issues computer accounts)

6/14/2001 Liz Buckley-Geer - Ely Meeting 4

Why are we doing this? I quote from the "Strong Authentication at Fermilab" user manual:

"An analysis of the major computer security incidents at Fermilab over the past couple of years, as well as the general sense of security incidents prior to that, shows that a common root cause of these incidents is the compromise of user passwords by their transmission in clear text over the network. Once intercepted, passwords can be re-used to gain unauthorized access to the destination system. Further, with user access to a compromised system, hackers can fairly easily gain privileged root access. In order to protect against unauthorized access to Fermilab computers, the Computing Division is implementing the Kerberos Network Authentication Service V5 to provide what is known as strong authentication over the network."

For example, on CDF we had one incident that required us to disable all accounts on our machines and give everyone a new password. We were off the air for 36 hours. We do not want this to happen to MINOS.

6/14/2001 Liz Buckley-Geer - Ely Meeting 5

Are there benefits?

Yes, there are advantages: One big advantage is that you have ONE login, known as your

kerberos principal and ONE password that works for all FNAL machines

You still need accounts on machines to access them but there are no locally stored passwords anymore

Once you have a ticket you can move from one strengthened machine to another without needing to type you password again.

Oure computers WILL be more secure. All password authentication happens in one place. This means

that a user’s access to all systems can be disabled in one location should the need arise

6/14/2001 Liz Buckley-Geer - Ely Meeting 6

The authentication model Three “realms”

Strengthened realmConsists of all systems that require strong authentication for access

(both on-site and off-site). All programs such as telnet, rlogin, are replaced by strengthened versions. Only “weak” authentication that is allowed is via the console or locally attached display

The trusted realmOther sites that implement strong authentication that is acceptable to

FNAL. This is primarily aimed at other laboratories. For example, if RAL decided to implement it’s own strong authentication and FNAL was happy with it then RAL would become a trusted realm

The un-trusted realmThose systems that do not require strong authentication and permit

traditional methods of access. These systems typically expose clear-text passwords on the network. An example would be an X-terminal

6/14/2001 Liz Buckley-Geer - Ely Meeting 7

The authentication model - cont’d

At FNAL, machines are configured to respond in “portal mode” when requests for access come from machines in the un-trusted realm

In portal mode the strengthened machine acts as a secure gateway into the strengthened realm, requiring a single-use password.

At FNAL these single-use passwords are implemented using a CRYPTOCard.

A CRYPTOCard is a calculator-style,battery powered token that must be initialized and synchronized with the KDC before use.

6/14/2001 Liz Buckley-Geer - Ely Meeting 8

A CRYPTOCard

6/14/2001 Liz Buckley-Geer - Ely Meeting 9

How does strong authentication work?

Kerberos operates by the exchange of tickets that allow access to all services by the user in the strengthened realm: Passwords are stored in the central Key Distribution Server

(KDC). User logs into kerberized computer at the console - may have

to type kinit and give kerberos password if the login program on the machine is not the kerberized one.

User gets "ticket" from KDC. Password is used as a key to encrypt the exchanges between

host and KDC but is not transmitted between them. You can now login to other strengthened hosts without typing

a password again.

6/14/2001 Liz Buckley-Geer - Ely Meeting 10

What does this mean for you?

All machines at FNAL will be kerberized by default. If you bring a machine to FNAL you will be required to kerberize it if you want to participate in the strengthened realm - this is highly recommended as it simplifies your access to other FNAL machines

If you are outside FNAL you have three choices: Install the kerberos client software on your machines are

become part of the FNAL strengthened realm. This is the preferred method. Practical considerations mean that offsite users will also be allowed

to run ssh with passwords, public.provate keys, host-based keys or kerberos on their local machines. However, machines that are sited at FNAL will need to use kerberized ssh, non-kerberized ssh is not permitted on these machines.

6/14/2001 Liz Buckley-Geer - Ely Meeting 11

What does this mean for you - cont’d?

Leave your machine unstrengthened and always login using your CRYPTOCard. Note that if you need to perform actions which required typing in your kerberos password then you MUST make sure that you an on an encrypted connection such as ssh. You MUST NEVER type your kerberos password while logged in to an X-terminal.

Your site may have it’s own version of strong authentication which may be acceptable to FNAL and then you can become a trusted realm.

6/14/2001 Liz Buckley-Geer - Ely Meeting 12

Deployment at FNAL

The current plan requires that strong authentication be fully deployed on all systems by January 2002

Systems that cannot be strengthened must be not be directly accessible on the network - they must be reached through a gateway machine.

Everyone who needs to access FNAL and Soudan machines will need a kerberos principal and should also get a CRYPTOCard. There is a web form http://www.fnal.gov/cd/forms/strongauth.html

Your CRYPTOCard can be mailed to you so you don’t need to come to FNAL

6/14/2001 Liz Buckley-Geer - Ely Meeting 13

Schedule for MINOS1

The kerberos client software will be installed on MINOS1 at the beginning of July

We will operate in a dual mode of both kerberos and ssh until early September when the machine will become fully strengthened

Un-kerberized ftp will be disabled. In the interim period until we are fully strengthened we will provide anonymous ftp for people who still need to copy files - particularly from Windows machines.

FNAL NuMI/MINOS desktops will be kerberized during this period.

FNALU will be kerberized in October.

6/14/2001 Liz Buckley-Geer - Ely Meeting 14

CVS Repository We need to switch to using cvsh which a restricted shell

that only allows cvs commands to be excuted Use pserver to configure the read-only access There are several possibilities for write access:

Kerberos accessThe minoscvs account contains the names of all people who have

write access to the repository in the .k5login fileUsers need to kinit to get credentials before accessing the

repositoryThen use kerberized rsh to access repositoryRequires remote machine to be running kerberos client

SSH accessConfigure non-kerberized ssh to only allow access to the cvsh

login shell and only for the minoscvs accountOnly requires ssh on remote machine

6/14/2001 Liz Buckley-Geer - Ely Meeting 15

CVS Repository cont’d

I propose implementing the kerberos access as people will be kerberizing their machines anyway.

We will run in dual mode until September with both kerberized and ssh access

After September write access will be kerberos only CDF is successfully working in this mode

6/14/2001 Liz Buckley-Geer - Ely Meeting 16

Linux machines The kerberos client software is available from FNAL as an rpm for

RedHat Linux (FNAL supported version of Linux). This comes with the various FNAL configurations, added features etc. There is also a UPS/UPD install but not many MINOS institutions are running UPS/UPD as it is not used in the offline.

There is a very active and helpful mailing list kerberos-users@fnal.gov

I will provide information about the necessary steps If you are NOT using RedHat Linux then you have a couple of

options Get the package from MIT - this will be missing CRYPTOCard

support plus some other useful features Install the Fermi source from CVS - probably a better option as it gets

the Fermi features Note - You can probably get help from the mailing list if you get

stuck but there is no official support for non-RedHat installs.

6/14/2001 Liz Buckley-Geer - Ely Meeting 17

Windows machines (W2k,NT4,98,95)

In order to connect to Unix machines from your Windows machine you need a X-client that supports kerberos

The official CD supported product is WRQ® Reflection which supports kerberos logins

You can also use Exceed 7 + MIT kerberos but this is not an CD officially supported configuration - although FNAL PPD has decided to do this I believe.

The initial login to the Windows machine still uses the regular Windows login method. I understand that W2K uses kerberos to authenticate but in true Microsoft style they have made it incompatible with MIT kerberos!!

6/14/2001 Liz Buckley-Geer - Ely Meeting 18

Macintoshes

These are no longer supported platforms at FNAL The supported access method to UNIX systems from

Macintoshes will be CRYPTOCards There are clients available and they have been tested

and there are instructions in the manual This only applies to Mac users in the US and Canada -

the MIT Kerberos software for the Mac is not freely available on http://www.crypto-publish.org/ because it contains code from non-open sources

6/14/2001 Liz Buckley-Geer - Ely Meeting 19

Detector Issues

All the machines at Soudan that are visible on the general LAN must be kerberized

We will have a satellite KDC that will take over if the network between FNAL and Soudan is down - normally we will authenticate to the KDC at FNAL

Machines on the DAQ or DCS LANs that require login access but cannot run kerberos must be accessed through a gateway machine which will do the authentication and has 2 network interfaces.

It is probably a good idea for most of the DAQ/DCS machines to be hidden from the outside world and accessed through a gateway(s) for security

6/14/2001 Liz Buckley-Geer - Ely Meeting 20

Detector Issues cont’d

I assume that the DCS Windows machines do not need login access to Unix machines so that they do not need WRQ Reflection - someone should tell me if that is not the case

I am not sure how the access to the DCS machines should be set up. How does the IFIX product work, how do you identify yourself to the system etc. Perhaps we can clarify some of these issues at this meeting.

It is easiest to put this stuff into place as the machines are installed in the hall - and must be done by January 2002 anyway.

6/14/2001 Liz Buckley-Geer - Ely Meeting 21

Summary

Strong authentication is coming soon to a computer near you

OR

As my colleagues in the FNAL Computing Division prefer to say ….

6/14/2001 Liz Buckley-Geer - Ely Meeting 22

Summary

“You will be assimilated - resistance is futile”