ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)
description
Transcript of ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)
![Page 1: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/1.jpg)
ACCESS CONTROL MANAGEMENTProject Progress (as of March 3)
By: Poonam Gupta Sowmya Sugumaran
![Page 2: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/2.jpg)
Kerberos
User namePasswordPolicies
Authentication Service ServerTicket Granting Service Sever
Resource 1
Resource 2
1 3
2
4
4
client
![Page 3: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/3.jpg)
Getting the Tickets
• kinit –forwards request for TGT to KDC• KDC encrypts TGT with pswrd and sends back• kinit has following options - l(lifetime) - f(forwardable tickets) -r(renewable life)
![Page 4: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/4.jpg)
Listing the Tickets
• klist – lists the tickets of the authenticated user.
output of an unsuccessful authentication is: klist: No credentials cache file found (ticket cache /tmp/krb5cc_1234)
![Page 5: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/5.jpg)
Contd..
• klist provides:– Information of all tickets– Expiration time of each ticket– Flags that apply to the ticket
Example:Ticket cache: /tmp/krb5cc_1234Valid starting Expires 29 Jul 98 11:25:47 30 Jul 98 12:25:42
![Page 6: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/6.jpg)
Destroying the Tickets
• Destroyed automatically on logging out• Destroying by hand:– Using kdestroy commandOutput generated by klist when all the tickets are destroyed:klist: No credentials cache file found
![Page 7: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/7.jpg)
Changing Kerberos Password
• Kpasswd is used for changing Kerberos passwords
– kpasswd: Changing password – Old password: your_old_password – kpasswd:your_new_password – New password (again): your_new_password– Kerberos password changed
![Page 8: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/8.jpg)
![Page 9: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/9.jpg)
![Page 10: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/10.jpg)
![Page 11: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/11.jpg)
What is in a Ticket?Field Name Description
Ticket version number 5
Realm Domain that issued ticket(mostly server’s)
Server Name Name of the server
Flags Options that specify how & when to issue
Key Client-Server session key
Client Realm Requestor’s domain name
Client Name Requestor’s name
Authentication Time Initial authentication time
Start time Time after which ticket is valid
End time Ticket’s expiration time
Renewal Till Max end time that can be set with flag
Client Address 1 or more addresses
Authorization Data Contains access restrictions
![Page 12: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/12.jpg)
![Page 13: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/13.jpg)
What happens when tickets expire?
• KDC doesn’t notify client when the ticket is about to expire
• Tickets-for authenticating new connections• Ongoing operations are not interrupted
CLIENT SERVER
Expired service ticket
Error message
![Page 14: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/14.jpg)
Renewable TGTs
• Only session keys are refreshed, without issuing new tickets every time.
• When Renewable policy is permitted, KDC sets a “Renewable” flag-R in the ticket.
• Sets 2 expiration time– (i)limits life of current instance of ticket– (ii)limit on the cumulative lifetime of all instances
![Page 15: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/15.jpg)
KDC configuration
RFC 1510 recommends the following values:
Configuration Element RFC 1510 Recommendation
Active Directory Domain Default Setting
Maximum ticket lifetime One day 600 minutes (10 hours)
Maximum renewable lifetime One week Seven days
![Page 16: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/16.jpg)
The Authenticator
• The client includes an authenticator whenever it sends ticket to the server(either TGS or service server)
• Authenticator – verifies that the destination in the ticket is really the ticket’s source.
![Page 17: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/17.jpg)
Why is an Authenticator necessary
• The server trusts the ticket-ticket is encrypted using server’s secret key
• Server doubts about the sender• The ticket could be stolen and then sent by
the imposter
![Page 18: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/18.jpg)
How does the Authenticator work• The authenticator is encrypted with the session key created by the KDC to
be used between the client and the target server. Only the client and the target server can access the session key.
• The target server uses its secret key to decrypt the ticket, finds the session key inside the ticket, and uses it to decrypt the authenticator.
• If the target server can successfully decrypt the authenticator and if the authenticator's data is accurate, then the target server will trust the source of the ticket.
![Page 19: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/19.jpg)
Authenticator’s Timestamp
• Important piece of data• Kerberos policy requires that authenticator’s
timestamp be within minutes of the time on the server
• This prevents replay attack
![Page 20: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/20.jpg)
Setting up KDC Hardware
• KDC – holds database with passwords and all information
• KDC must be as secure as possible:– Put the server machine into a physically secured
location, to which only a very few people have access. – Do not run any network applications on it except the
KDC. – It is probably a good approach to install a minimal
system first then check the list of installed packages and remove any unneeded packages.
![Page 21: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/21.jpg)
Clock Synchronization
• All clocks within the organization must be synchronized
• Very important – Protects against replay attack• Possible solution:– Installing time server on one machine and having
all clients synchronize their clocks with this machine
![Page 22: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/22.jpg)
Setting the Master Key
• Database master key – protects from accidental disclosure
• Derived from pass phrase and stored in stash file
• Don’t back up stash file while making backups of database in a tape– Master key:<enter pass phrase>
Verifying password – Master key:<enter pass phrase again>
![Page 23: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/23.jpg)
Minutes Details
• Meeting once in a week• Installed Kerberos• Understanding how to setup client and server
application
![Page 24: ACCESS CONTROL MANAGEMENT Project Progress (as of March 3)](https://reader036.fdocuments.net/reader036/viewer/2022081604/5681623f550346895dd276e3/html5/thumbnails/24.jpg)
Thank You..!!