Kerberos in an ISP environment UNIX/Win2K/Cisco > Nicolas FISCHBACH
[email protected] - http://www.securite.org/nico/
> Sébastien LACOSTE-SERIS
[email protected] - http://www.securite.org/kaneda/ version 1.13
Agenda > Kerberos > Introduction : why did we choose Kerberos ? > Protocol and Exchanges > MIT Kerberos and Applications > Attacks > Deployment > UNIX > Cisco Routers and Switches > Win2K > Q&A
© 2001 Sécurité.Org
What is Kerberos ? > Kerberos is a network authentication protocol/system > Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks > Mutual authentication > Uses DES and shared keys > Trusted third party
© 2001 Sécurité.Org
What is Kerberos not ? > Kerberos does not provide authorization only authentication > Kerberos does not provide data encryption
© 2001 Sécurité.Org
Why use Kerberos ? > Secure authentication (cryptography) > No password transmission > Single Sign On > SSO is bad for security (Bruce Schneier) > Centralized authentication management > IETF Standard (RFC 1510)
© 2001 Sécurité.Org
Kerberos vocabulary (1) > KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys > principal : three-tuple > user : login/staff@REALM > service : service/host.fqdn@REALM > primary : username or service name > instance : “qualifies” the primary (role) > realm : authentication domain
© 2001 Sécurité.Org
Kerberos vocabulary (2) > keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB. > client : an entity that can obtain a ticket (user or host) > service : host, ftp, krbtgt, pop, etc. > ticket : credentials (identity of a client for a particular service) > TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm. © 2001 Sécurité.Org
Key Distribution Center > Responsible for maintaining master keys for all principles and issuing Kerberos tickets > Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT) > Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS)
© 2001 Sécurité.Org
Kerberos Protocol (1) > Kerberos Ticket
Domain Principal Name Ticket Flags Encryption Key Domain Principal Name Start Time End Time Host Address Authorization Data
Encrypted
© 2001 Sécurité.Org
Kerberos Protocol (2) > Kerberos Ticket Exchanges Key Distribution Center
> Ports :
kinit: kpasswd (Unix): kpasswd (Win):
88/udp 749/tdp 464/{tcp,udp}
Authentication Service
Ticket Granting Service
et k t ic User
Network Service
© 2001 Sécurité.Org
Kerberos Protocol (3) > Getting a Ticket Granting Ticket (1+2) > (1) TGT Request > (2) TGT (to be decrypted with the user’s password hash) Client
KDC TGT Request (1)
TGT (2)
© 2001 Sécurité.Org
Kerberos Protocol (4) > Getting and using a Service Ticket (3+4+5) > (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication KDC Client
ST Request (3)
ST and SK (4) ST (5)
Server
© 2001 Sécurité.Org
Kerberos Protocol (5) > Kerberos delegation KDC
Server ST Request
Client TGT + ST
ST and SK ST
Server
© 2001 Sécurité.Org
Realms > A Realm is an authentication domain > one Kerberos database and a set of KDCs > Hierarchical organization (new in v5) > One or two way authentication > Cross-realm authentication > transitive cross-realm > direct between realms
© 2001 Sécurité.Org
Kerberos Protocol (6) > Authentication across domains KDC Client
TGT Request KDC TGT ST Request ST and SK ST and SK
Server
© 2001 Sécurité.Org
MIT distribution > Version used : 5.1 > Provides client and server > Supported platforms : UNIXes (xBSD, Linux, Solaris, AIX, HP-UX, OSF/1, ...) MacOS 10 > DNS can be used for lookups
© 2001 Sécurité.Org
Kerberized applications > telnet (with DES encryption) and r-commands > CVS and ksu, klogin, k* > SSH 1.2 supports Kerberos V (run at least version 1.2.30) > SSL v3.0 > Cygnus Kerbnet (NT, MAC, Unix) > samba doesn’t (related to MS extensions)
© 2001 Sécurité.Org
How to Kerberize an application > All applications can be adapted > Use of the GSS API > Transport the ticket within an application
© 2001 Sécurité.Org
NAT issues > Host address is included in the tickets > Need to add NATed IP address in the ticket > Patch for MIT Kerberos 5.1
© 2001 Sécurité.Org
Attacks against Kerberos (1) > Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz) > Replay attacks : detected (C+S are time synchronized) > Exposed keys : keys have a limited lifetime but are multi-session keys > Temporary file vulnerability : run krb5-1.2.1+
© 2001 Sécurité.Org
Attacks against Kerberos (2) > Passwords guessing : use a good passphrase > Trojaned clients : OTP > Implicit trust between realms > Ticket forwarding > Others : KDC, shared workstations, ...
© 2001 Sécurité.Org
*NIX clients > RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14 > Solaris/OpenBSD only provide Kerberos IV
© 2001 Sécurité.Org
Kerberos V on *NIX clients (1) > Authentication managed by Kerberos API > Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like) > PAM alternatives
© 2001 Sécurité.Org
Kerberos V on *NIX clients (2) > Kerberized Telnet : available > Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > OpenSSH (as of 2.5.1) doesn’t yet support Kerberos V : http://www.sxw.org.uk/computing/patches/
© 2001 Sécurité.Org
Kerberos V on Cisco equipment (1) > Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined) > Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support)
© 2001 Sécurité.Org
Kerberos V on Cisco equipment (2) > IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements : Hardware IOS RAM / Flash 26xx 12.0 32 / 8 12.1 48 / 16 72xx 12.0 64 / 16 12.1 64 / 16
Hint: always check with the Cisco IOS Feature Navigator
© 2001 Sécurité.Org
Kerberos V on Cisco equipment (3) > Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH kerberos srvtab entry host/
[email protected] ... kerberos server COLT.CH 192.168.0.14 kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server 192.168.0.126
© 2001 Sécurité.Org
Kerberos V on Cisco equipment (4) > CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x > Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements : Hardware CatOs 4000 5.2+ 6.1 6000 5.4+ 6.1
Memory 64 64 64 64 (SE1)
Hint: always check the Release Notes
© 2001 Sécurité.Org
Kerberos V on Cisco equipment (5) > Switch Configuration : #kerberos set kerberos local-realm COLT.CH set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH 192.168.0.82 88 set kerberos srvtab entry host/
[email protected] ... #authentication set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary #ntp set ntp client enable set ntp server 192.168.0.11
© 2001 Sécurité.Org
Kerberos V on Win2K stations (1) > Provides Kerberos authentication for interactive logons > The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority) > Ticket cache is provided by the LSA > Telnetd supports Kerberos
© 2001 Sécurité.Org
Kerberos V on Win2K stations (2) > Support Tools > Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser
[email protected] localuser ksetup /mapuser * * > Windows Time Server (+ registry) > No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org
That’s all folks :-) > Latest version, goodies and additional information < http://www.securite.org/presentations/krb5/ > > Q&A
Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html
© 2001 Sécurité.Org