Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under...
-
Upload
joseph-simmons -
Category
Documents
-
view
214 -
download
0
Transcript of Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under...
![Page 1: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/1.jpg)
Why Kerberos?Presented by Beth Lynn Eicher
CPLUG Security Conference
March 5, 2005
Released Under The Creative Commons Attribution-
NonCommercial-ShareAlike License.
Some Rights Reserved
![Page 2: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/2.jpg)
Kerberos IS...
![Page 3: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/3.jpg)
The mythical character
![Page 4: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/4.jpg)
A Network Authentication Protocol
● MIT took an idea from Xerox: “The Needham-
Schroeder Protocol”●Centralized, single sign-on, encrypted logins
![Page 5: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/5.jpg)
Kerberos is everywhere•Required for OpenAFS•With Heimdal (from Sweden) you
can use Kerberos anywhere•Becoming a built-in option
• Microsoft Active Directory• LDAP• Fedora Core (PAM)
![Page 6: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/6.jpg)
Yes, you can use telnet again
If you “kerberize” your service, you can use
services that otherwise pass your passwords in the
clear.
![Page 7: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/7.jpg)
Allows many methods of
authentication...
![Page 8: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/8.jpg)
Something that you know
Your password
![Page 9: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/9.jpg)
Something that you have...
Your Securid
![Page 10: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/10.jpg)
Something that you are...
Bio-authentication
![Page 11: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/11.jpg)
Since there are multiple ways of
authenticating...
Let's just call it secret
![Page 12: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/12.jpg)
Provides the 3 A's
● Authentication – verifying secrets●Authorization – control access
●Auditing – logging
![Page 13: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/13.jpg)
NOT to be confused with...
![Page 14: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/14.jpg)
Fluffy from Harry Potter
![Page 15: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/15.jpg)
A directory service
● Kerberos doesn't know
your full name, your
favorite shell, or your
home address
● Use LDAP or NIS(+)
WITH Kerberos
![Page 16: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/16.jpg)
Kerberos does encrypt your
password....● But if you are using what you assume to be
Kerberos may not be if your your system has
been exploited!
● Be aware of trojans and key stroke logging
![Page 18: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/18.jpg)
My principal's service instances
![Page 19: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/19.jpg)
My 's administrative instances
![Page 20: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/20.jpg)
Single Sign-On
1) I login to my desktop
2) After that initial login I'm given a ticket
3) I can ssh/telnet to other machines on the network
without typing a password again!
My password is not cached or resent.
My ticket allows me to request more tickets.
![Page 21: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/21.jpg)
When I want to be root
● I authenticate with my
[email protected] password
● Now I have full root privileges on the local host
● I can also use this ticket to ssh/telnet to other
machines to also be root on them too
![Page 22: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/22.jpg)
What I didn't tell you
● How Kerberos works.
● MIT vs Heimdal
● Who is Cerberus?
● How to configure Kerbeors
● How OpenAFS uses Kerberos
![Page 23: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/23.jpg)
O'Reilly to the Rescue
● “Kerberos The
Definitive Guide” by
Jason Garman
● The Owl book
● $34.95
![Page 24: Why Kerberos? Presented by Beth Lynn Eicher CPLUG Security Conference March 5, 2005 Released Under The Creative Commons Attribution- NonCommercial-ShareAlike.](https://reader031.fdocuments.in/reader031/viewer/2022032702/56649cd75503460f949a021e/html5/thumbnails/24.jpg)
Thanks!