Cross-Cell Authentication Using Configurable Authentication Paths

1

Cross-Cell Authentication Using Configurable Authentication Paths

Douglas E. Engert

[email protected] National Laboratory

11/05/96

2

Introduction

What is Cross-Cell Authentication? How Kerberos and DCE implement it What’s wrong with this? Configurable Authentication Paths Results of testing Futures

3

Definitions

Cell Vs Realm Security Server Vs KDC /.../cellname/user Vs user@realm principal and account Vs principal

4

Cross-Cell Authentication

A user in one cell can authenticate to a service in another cell

Feature of Kerberos Version 4 - Direct cell to cell Version 5 - Allows intermediate cell

Requires cell_admins to setup shared keys

Kerberos Basics Key Distribution Center KDC or DCE Security Server

Client Server

Cache

kinit APPL APPLD

User

Cross Cell AuthenticationShared Keys

Client’s KDC KDC 1 KDC 2 Server’s KDC

User Server

Cross Cell AuthenticationClient’s KDC KDC 1 KDC 2 Server’s KDC

Client Server

Cache

kinit APPL APPLD

User

8

Hierarchical Organization of Cells

“Realms are typically organized hierarchically”RFC 1510 Section 1.1

Kerberos 5 use DNS style DCE uses cell aliases They don’t interoperate

9

Kerberos 5 Hierarchy

Right to left separator is “.”A.B.C B.CCZ.CY.Z.C

10

DCE Hierarchy

Left to Right separator is “/”/c/b/a /c/b/c/c/z/c/z/y

Requires user to specify the hierarchy Transitive Trust

11

What's wrong with this?

The world is not hierarchical How does ANL.GOV authenticate to

WIDGET.COMWho runs GOV, COM, EDU, ORG cells?

Can’t belong to more then one hierarchy DCE and K5 do not interoperate Hierarchy is tied to the realm name

Cross Cell

16

Configurable Authentication Paths

“Realms are typically organized hierarchically.... If a hierarchical organization is not used, it may be necessary to consult some database in order to construct an authentication path between realms.”RFC1510 Section 1.1

So use a database!

17

Configurable Authentication Paths

lib/krb5/krb/walk_rtree.c Return the authentication path based on client and

server realmsUsed by client to find authentication pathUsed by server to check transited field

Has been incorporated in MIT Kerberos 5 beta 6 and beta 7

krb5.conf New section [capaths]

Why Check the Transited Field ?

abc

abc ghi

def

Client: abc Server: ghi Transited field: def

Bogus client: abc Server:ghi Transited Field: xyz,jkl,def

DCE 1.0.3 did not check!

xyz

jkl

19

Testing CAPATH in DCE

Modified DCE 1.1 walk_rtree.c Kept simple to show proof of concept walk_rtree.c is in shared libdce capath.conf

equivalent to krb5.conf [capaths] information

20

capath.conf

client-cell server-cell intermediates dce.anl.gov dce.es.net .dce.anl.gov dce.pnl.gov dce.es.net

dce.es.net dce.anl.gov .dce.pnl.gov dce.anl.gov dce.es.net

dce.es.net dce.pnl.gov .dce.pnl.gov dce.es.net .

n*(n-1) number of records Each cell need 2*(n-1) records

21

Testing CAPATH in DCE

Need modified libdce.so on server and security server

Need modified libdce.so on client AIX 4.1.4 - relinked libdce.a Solaris 2.5 - setenv LD_PRELOAD HP - Have not figured out a way yet

Cross Cell Authentication

Cache

dce_login rlogin klogind

User

dce.anl.govHP

dce.es.netTransarc

dce.pnl.govTransarc

secd secd secd

AIX

libdce.so

23

Cache

pembroke% /krb5/bin/rlogin moonbeam.pnl.gov -x -l engert This rlogin session is using DES encryption for all data transmissions. Last login: Thu Oct 24 17:01:49 from pembroke.ctd.anl Sun Microsystems Inc. SunOS 5.5.1 Generic May 1996 moonbeam.pnl.gov% exit moonbeam.pnl.gov% logout Connection closed. pembroke% /krb5/bin/klist Ticket cache: /opt/dcelocal/var/security/creds/dcecred_626fb170 Default principal: [email protected]

Valid starting Expires Service principal 25 Oct 96 09:03:01 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:03:17 25 Oct 96 19:03:01 afsx/[email protected] 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:10:28 25 Oct 96 19:03:01 krbtgt/[email protected] 25 Oct 96 09:10:31 25 Oct 96 19:03:01 host/[email protected]


Cache

dce_login rgy_edit RPC

User

dce.anl.govHP

dce.es.netTransarc

dce.pnl.govTransarc

secd secd secd

AIX

libdce.so

libdce.solibdce.so

25

Cache

Klist output Default principal: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: [email protected] Server: krbtgt/[email protected] Server: krbtgt/[email protected] Server: [email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: krbtgt/[email protected] Client: [email protected] Server: [email protected]


Cache

dce_login DFS DFS

User

dce.anl.govHP

dce.es.netTransarc

dce.pnl.govTransarc

secd secd secd

AIX

libdce.so

libdce.solibdce.so

27

Compatibility

Defaults to previous method if:capath.conf not foundclient-server record not found

Works with MIT Kerberos

28

Futures

Request OSF and HP incorporate the modification

Replace capath.conf file Store in registryLocally cached by dced

Public key for cross-cell capath.conf then becomes list of trusted CAs

29

ESnet Pilot Project

Final Report and Recommendations of the ESnet Authentication Pilot Project G. R. Johnson PNLC. L. Athey LLNLD. E. Engert ANLJ. P. Moore PNLJ. E. Ramus NERSC

http://www.es.net/pub/esnet-doc/auth-and-security/auth-pilot-report.ps

30

The End

31

Cross-Cell Authentication Using Configurable Authentication Paths

Douglas E. Engert

[email protected] National Laboratory

10/31/96

Cross-Cell Authentication Using Configurable Authentication Paths

Documents

Transcript of Cross-Cell Authentication Using Configurable Authentication Paths