KERBEROS: 30 years later
Transcript of KERBEROS: 30 years later
![Page 1: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/1.jpg)
(A modern cryptographic overview)
Robbie Harwood
Kerberos Development Lead, Red Hat2019-12-05
KERBEROS: 30 years later
![Page 2: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/2.jpg)
WHAT IS KERBEROS?
![Page 3: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/3.jpg)
3
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
-- https://web.mit.edu/kerberos
![Page 4: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/4.jpg)
4
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
Widely used Anywhere there’s a many/many problem Supported by most applications
This quote is familiar...
![Page 5: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/5.jpg)
5
![Page 6: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/6.jpg)
6
Kerberos
HeraklesEurystheus
![Page 7: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/7.jpg)
7
Trent
AliceEve
![Page 8: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/8.jpg)
8
Trent
AliceEve
Argos
Bob
python
![Page 9: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/9.jpg)
9
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
For securing network communication Safe + secure on public networks
On any network
![Page 10: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/10.jpg)
10
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
Binds actors to names … cryptographically
Secures communication between actors Mutually-authenticated Lays groundwork for authorization Multifactor support
![Page 11: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/11.jpg)
11
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
Needham-Schroeder protocol (symmetric) Most operations are AES
Very fast Initial step uses elliptic cryptography
Built-in, automatic revocation checking
![Page 12: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/12.jpg)
12
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
Initiator / Acceptor Doesn’t require machine separation
… can even authenticate an actor to themself Beyond usual notion of “server” “Enterprise”
![Page 13: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/13.jpg)
13
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
“MIT licensed” (surprise) Installs on your machine
Yes, even Windows The Crypto Wars are basically over
![Page 14: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/14.jpg)
14
What is Kerberos?"Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by using secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology."
Several other implementations availble Heimdal (Sweden) Microsoft Active Directory (AD); proprietary Apple; proprietary Shishi; abandoned and poorly licensed
Implementations interoperate … but I’m doing a MIT-specific presentation
![Page 15: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/15.jpg)
TOPOLOGY
![Page 16: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/16.jpg)
16
Topology
User
![Page 17: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/17.jpg)
17
Topology
User program
![Page 18: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/18.jpg)
18
Topology
User program
Service
![Page 19: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/19.jpg)
19
Topology
User program
Service
?
![Page 20: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/20.jpg)
20
Topology
User program
Service
KDC
![Page 21: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/21.jpg)
21
Topology
User program
Service
KDC
?
![Page 22: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/22.jpg)
Initial credential acquisition
![Page 23: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/23.jpg)
23
Initial credentials (simplified)
User
Service
KDC
AS_REQ (user, crypto)
AS_REP (TGT, encrypted)
![Page 24: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/24.jpg)
24
Initial credentials (simplified)
Service
KDC
Inputs: secretReceives: TGT
User
AS_REP (TGT, encrypted)
AS_REQ (user, crypto)
![Page 25: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/25.jpg)
25
Initial credentials KDC “Authentication Service” (AS) Secret credentials never cross the network Different configurations may require more messages
Multifactor PKINIT Older mechanisms
TCP or UDP, port 88 … or TCP port 443
![Page 26: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/26.jpg)
26
Initial credentials SPAKE (Secure Password-Authenticated Key Exchange)
“Future work” two years ago Elliptic curve-based approach
Prevents offline dictionary attacks … even with weak passwords
Current future work SPAKE’s multifactor interface is extensible TOTP/HOTP (already supported in krb5 differently) FIDO/U2F devices (e.g., yubikeys)
![Page 27: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/27.jpg)
27
Initial credentials
User program
Service
KDC
?Has: TGT
![Page 28: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/28.jpg)
Service ticket acquisition
![Page 29: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/29.jpg)
29
Service tickets
User program
Service
KDC
Has: TGT
TGS_REQ (user for service)
TGS_REP (encrypted service ticket)
![Page 30: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/30.jpg)
30
Service tickets
User program
Service
KDC
Has: TGTHas: service ticket
TGS_REQ (user for service)
TGS_REP (encrypted service ticket)
![Page 31: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/31.jpg)
31
Service tickets KDC Ticket Granting Service (TGS) Communication secured by TGT
(initial credentials) Credentials shared session-wide by default
Credential cache (ccache) Protected from other users May be scoped differently (e.g., process)
![Page 32: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/32.jpg)
32
Service tickets Inside a service ticket:
Lots of timestamps Some names The session key The session key, encrypted for the service
Encrypted with long-term key for target service This principal generalizes Recall that long-term keys never cross the network This determines error messages
![Page 33: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/33.jpg)
33
Service tickets
User program
Service
KDC
Has: TGTHas: service ticket
?
![Page 34: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/34.jpg)
Authentication
![Page 35: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/35.jpg)
35
Authentication
User program
Service
KDC
Has: TGTHas: service ticket
AP_REQ (encrypted session key)
AP_REP
![Page 36: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/36.jpg)
36
Authentication
User program
Service
KDC
Has: TGTHas: service ticket
AP_REQ (encrypted session key)
AP_REP
Acquire credentials (if needed)
![Page 37: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/37.jpg)
37
Authentication Client/server exchange (AP) Not actually a protocol
Means it tunnels along whatever existing channel is in use Client initiator, server acceptor
![Page 38: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/38.jpg)
38
Authentication Service likely unattended
Long-term credentials stored in a keytab Keytab begets ccache
Service doesn’t need to see the KDC Revocation checking happened
![Page 39: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/39.jpg)
USING KERBEROS
![Page 40: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/40.jpg)
40
Using Kerberos Native: libgssapi (C)
Standardized, approachable interface libkrb5: not standardized, harder to use
Also supported through SASL Supported mechanism in SSH Other languages have bindings Python: python-gssapi
Not biased at all, no...
![Page 41: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/41.jpg)
Using (python-gssapi)rharwood@seton:~$ gssapi-console.py
GSSAPI Interactive console
Python 3.7.4+ (default, Sep 4 2019, 08:03:05)
[GCC 9.2.1 20190827] on linux
Type "help", "copyright", "credits" or "license" for more information about Python.
Functions for controlling the realm are available in `REALM`.
Session: /tmp/tmpeVQgJ5-krbtest
Mechansim: krb5 (MIT Kerberos 5), Realm: KRBTEST.COM, User: [email protected], Host: host/[email protected]
>>>
![Page 42: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/42.jpg)
>>> server_name = gssapi.Name("host/seton.mivehind.net")
>>>
Using (python-gssapi)
![Page 43: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/43.jpg)
>>> server_name = gssapi.Name("host/seton.mivehind.net")
>>> client_context = gssapi.SecurityContext(usage="initiate", name=server_name)
>>> server_context = gssapi.SecurityContext(usage="accept")
>>>
Using (python-gssapi)
![Page 44: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/44.jpg)
>>> server_name = gssapi.Name("host/seton.mivehind.net")
>>> client_context = gssapi.SecurityContext(usage="initiate", name=server_name)
>>> server_context = gssapi.SecurityContext(usage="accept")
>>> token = client_context.step()
>>>
Using (python-gssapi)
![Page 45: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/45.jpg)
>>> server_name = gssapi.Name("host/seton.mivehind.net")
>>> client_context = gssapi.SecurityContext(usage="initiate", name=server_name)
>>> server_context = gssapi.SecurityContext(usage="accept")
>>> token = client_context.step()
>>> token = server_context.step(token)
>>> token = client_context.step(token)
>>>
Using (python-gssapi)
![Page 46: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/46.jpg)
>>> server_name = gssapi.Name("host/seton.mivehind.net")
>>> client_context = gssapi.SecurityContext(usage="initiate", name=server_name)
>>> server_context = gssapi.SecurityContext(usage="accept")
>>> token = client_context.step()
>>> token = server_context.step(token)
>>> token = client_context.step(token)
>>> token
>>> client_context.complete
True
>>> server_context.complete
True
>>>
Using (python-gssapi)
![Page 47: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/47.jpg)
>>> message = "I'm the best possible message!"
>>>
Using (python-gssapi)
![Page 48: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/48.jpg)
>>> message = "I'm the best possible message!"
>>> encrypted_message = client_context.encrypt(message)
>>>
Using (python-gssapi)
![Page 49: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/49.jpg)
>>> message = "I'm the best possible message!"
>>> encrypted_message = client_context.encrypt(message)
>>> encrypted_message
"\x05\x04\x06\xff\x00\x00\x00\x00\x00\x00\x00\x004\xba\x00(@\xf2\x0cS\xd2M\x88\x945/$m\xd2\xb0Uol:p\x98\xca\xddw\xda\xeab\xbd\xd1~\xd5Kjo\x15\xad\x08V\xa4\xd4\xa2>\xad\x89\xe2\xb4\x06\x8f\xca\xf1\xd9\xbb\x0e\xf2\x8f\x1a\x06\x86\x9b\x9dx'\xdfT3V\xb0\x17$7\x13\xe1\xfe\x10u"
>>>
Using (python-gssapi)
![Page 50: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/50.jpg)
>>> message = "I'm the best possible message!"
>>> encrypted_message = client_context.encrypt(message)
>>> encrypted_message
"\x05\x04\x06\xff\x00\x00\x00\x00\x00\x00\x00\x004\xba\x00(@\xf2\x0cS\xd2M\x88\x945/$m\xd2\xb0Uol:p\x98\xca\xddw\xda\xeab\xbd\xd1~\xd5Kjo\x15\xad\x08V\xa4\xd4\xa2>\xad\x89\xe2\xb4\x06\x8f\xca\xf1\xd9\xbb\x0e\xf2\x8f\x1a\x06\x86\x9b\x9dx'\xdfT3V\xb0\x17$7\x13\xe1\xfe\x10u"
>>> server_context.decrypt(encrypted_message)
"I'm the best possible message!"
>>>
Using (python-gssapi)
![Page 51: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/51.jpg)
DEPLOYMENT
![Page 52: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/52.jpg)
52
Deployment Possible to deploy “by hand”
Not all that difficult Good for testing Additional features require configuration Lots of steps
![Page 53: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/53.jpg)
53
Deployment Red Hat Identity Management
Upstream: freeIPA: https://freeipa.org Packaged in Fedora, CentOS, RHEL
Client packaged in all major distros
Turnkey solution Also sets up CA / PKI, LDAP, etc. Featureset is akin to MS AD
![Page 54: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/54.jpg)
MULTI REALM
![Page 55: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/55.jpg)
Multi-realm (example)rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$
![Page 56: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/56.jpg)
rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$ koji hello
안녕하세요 , rharwood!
You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via GSSAPI
rharwood@seton:~$
Multi-realm (example)
![Page 57: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/57.jpg)
rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$ kinit [email protected]
Password for [email protected]:
rharwood@seton:~$ koji hello
안녕하세요 , rharwood!
You are using the hub at https://koji.fedoraproject.org/kojihub
Authenticated via GSSAPI
rharwood@seton:~$ klist
Ticket cache: KEYRING:persistent:21259:krb_ccache_aLv5gM5
Default principal: [email protected]
Valid starting Expires Service principal
10/04/19 14:59:32 10/05/19 00:59:32 krbtgt/[email protected]
rharwood@seton:~$
Multi-realm (example)
![Page 58: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/58.jpg)
rharwood@seton:~$ klist -A
Ticket cache: KEYRING:persistent:21259:krb_ccache_aLv5gM5
Default principal: [email protected]
Valid starting Expires Service principal
10/04/19 14:59:32 10/05/19 00:59:32 krbtgt/[email protected]
Ticket cache: KEYRING:persistent:21259:krb_ccache_eeQRbHv
Default principal: [email protected]
Valid starting Expires Service principal
10/04/19 14:59:45 10/05/19 14:59:17 HTTP/[email protected]
renew until 10/11/19 14:59:17
10/04/19 14:59:22 10/05/19 14:59:17 krbtgt/[email protected]
renew until 10/11/19 14:59:17
Multi-realm (example)
![Page 59: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/59.jpg)
TIME CHECK
![Page 60: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/60.jpg)
Cross-realm (example)rharwood@conch:~$ aklog athena.mit.edu
rharwood@conch:~$
![Page 61: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/61.jpg)
rharwood@conch:~$ aklog athena.mit.edu
rharwood@conch:~$ klist | grep -i mit
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 krbtgt/[email protected]
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 afs/[email protected]
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 afs/[email protected]
rharwood@conch:~$
Cross-realm (example)
![Page 62: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/62.jpg)
rharwood@conch:~$ aklog athena.mit.edu
rharwood@conch:~$ klist | grep -i mit
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 krbtgt/[email protected]
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 afs/[email protected]
Oct 3 23:56:16 2019 Oct 4 09:55:23 2019 afs/[email protected]
rharwood@conch:~$ tokens
Tokens held by the Cache Manager:
Tokens for [email protected] [Expires Oct 4 09:55]
User's (AFS ID 1812) tokens for [email protected] [Expires Oct 4 09:55]
--End of list--
rharwood@conch:~$
Cross-realm (example)
![Page 63: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/63.jpg)
rharwood@conch:~$ aklog sipb.mit.edu
rharwood@conch:~$
Cross-realm (example)
![Page 64: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/64.jpg)
rharwood@conch:~$ aklog sipb.mit.edu
rharwood@conch:~$ klist | grep -i sipb
Oct 4 00:10:18 2019 Oct 4 09:55:23 2019 afs/[email protected]
Oct 4 00:10:18 2019 Oct 4 09:55:23 2019 afs/[email protected]
rharwood@conch:~$
Cross-realm (example)
![Page 65: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/65.jpg)
rharwood@conch:~$ aklog sipb.mit.edu
rharwood@conch:~$ klist | grep -i sipb
Oct 4 00:10:18 2019 Oct 4 09:55:23 2019 afs/[email protected]
Oct 4 00:10:18 2019 Oct 4 09:55:23 2019 afs/[email protected]
rharwood@conch:~$ tokens
Tokens held by the Cache Manager:
Tokens for [email protected] [Expires Oct 4 09:55]
Tokens for [email protected] [Expires Oct 4 09:55]
User's (AFS ID 1812) tokens for [email protected] [Expires Oct 4 09:55]
--End of list--
rharwood@conch:~$
Cross-realm (example)
![Page 66: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/66.jpg)
Questions?
● MIT krb5: https://web.mit.edu/kerberos● MIT krb5: https://github.com/krb5/krb5
● python-gssapi: https://github.com/pythongssapi/python-gssapi● gssapi-console: https://github.com/pythongssapi/gssapi-console
● freeIPA: https://freeipa.org● freeIPA: https://github.com/freeipa/freeipa
https://mivehind.netGitHub: frozencemetery
![Page 67: KERBEROS: 30 years later](https://reader031.fdocuments.net/reader031/viewer/2022021211/62064f2f90fa421af578903f/html5/thumbnails/67.jpg)
This is the backup slide