Understanding Kerberos pt. 2
Understanding Kerberos pt. 2
I'll tightly follow the explanations of The Moron's Guide to Kerberos
. If you've read and understood it, you can probably skip this chapter.If a user wants to access a service, then he has to authorize. For authorization in kerberos there is a Authorization Center (AC). On the MIT kerberos implementation, the AC is included in the KDC server. Here's what happens:
- The user talks to the AC and asks for acessing the service.
- The AC creates a random key (session key)
- Two packets are sent back to the user (or client process):
- the session key and a string specifiing the service, both encrypted with the users password. If the client can decrypt it, then he can read the service string and therefore verify if he could decrypt it. If only the session key would have been sent, the user could not verify, because a key looks like a piece of random bytes.
- the session key and the username, both encrypted with the service key. Here the mindful reader may ask, where this key comes from. Yes, we did not yet create this key. For later reference you should remember that these keys are random keys generated in the kerberos database using admin and that the service reads the key from a keytab file. These are simply shared secrets and file access to the keytab should only granted to the service itself.
- The client process decrypts the 1st package and stores the session key. On unix it is stores in a temporary file, on Windows it is stored in volatile shared memory.
- The client process creates a package that contains the current time and is encrypted with the session key. This 3dr package and the second package are sent to the server process. The timestamp is for avoiding "replay attacks", that means, if someone reads the package from network, he cannot reuse it later. The server will refuse the package if the "time skew" is to big.
- The server decrypts the 2'nd package and verifies the username. He also obtains the session key from there. After checking the integrity with the 3rd package, he can grant the user access to the service.
So what did we learn? If we want to make a user access a service, we need that:
- kerberos knows the user, and that the user posesses a password in the kerberos database. This is done by making a principal with "add_princpal username" in kadmin. kadmin asks you for a password.
- kerberos has to have a random key(= random password) for the service. This is acheived by making a "add_principal -randkey service/instance" in kadmin and then exporting the key to a keytab file on the service server machine with "ktadd -k keytabfile service/instance"
- In the above scenario everytime a user asks the AC for access to a service, he has to decrypt the 1st package with his password. Storing tis password is unsafe so he always has to enter the password! That's not what we want. How kerberos avoids this, you can read in pt. 3 of "understanding kerberos".
Created by system. Last Modification: Sunday 14 of August, 2005 19:49:41 UTC by admin.
Category: UNIX
-
wiki page:
- How to use Microsoft Active Directory with postfix
- inserting the first object in your ldap directory
- Installing the mailsystem packages
- Integrating LDAP in your unix system
- Introduction
- Kerberizing kadmin
- Kerberizing sshd
- Kerberos setup
- LDAP
- LDAP schema files
- logging
- Motivation
- nss_ldap security
- OpenLDAP config files
- Other documentation
- performing a first ldap query
- PerfParse
- populating the directory
- Postfix and cyrus imapd and kerberos and LDAP
- Setting up a kerberos client machine
- Setting up your Kerberos servers
- SIngle sign on (SSO) first try
- SSO and Central Administration with Kerberos and LDAP
- Start the kerberos servers
- The configuration files
- The name service switch
- Tweak pam
- Understanding Kerberos
- Understanding Kerberos pt. 2
- Webserver Stress Test Tools
- What is LDAP?
- What the heck is pam?
- What we need
- What we want
- Audience
- Authenticating
- Bash script with timeout function
- Check Processes
- Check your installation
- Choosing a Realm
- configure your mail client
- Configuring and understanding pam
- configuring cyrus imapd
- configuring postfix
- Connect to kadmind and have a look into the database
- Creating the kerberos database
- Edit the Kerberos Admin Server ACL config
- Edit the kerberos client config file
- Edit the kerberos server config file
- Excursus to principals
- exploring schemas
- Fight Image Spam
- Fight Spam best practice
- adding a group
- Adding principals and authenticating
- Another principal
- nss with Solaris 10
- SerialConsole
![[toggle]](javascript:icntoggle('mod-ApplicationMenul2','module.png'); "[toggle]"){kind=small}
Sidebar
Wiki
Image Galleries
Powered by TikiWiki CMS/Groupware |
Theme: Strasa
[ Execution time: 0.44 secs ] [ Memory usage: 6.92MB ] [ 63 database queries used in 0.0 secs ] [ Server load: 0.28 ]