|
Softpanorama |
May the source be with you, but remember the KISS principle ;-)
|
| News | Recommended Links | Recommended Books | Papers | Reference | FAQs |
| Tutorials | Microsoft implementation | MIT Implementation | Security | Web | |
| Solaris | Red Hat | AIX | HP-UX | Humor | Etc |
Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications by secret-key cryptography. A free implementation of this protocol is available from the Massachusetts Institute of Technology. Kerberos is available in many commercial products as well.
The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. After a client and server has used Kerberos to prove their identity, they can also encrypt all of their communications to assure privacy and data integrity as they go about their business.
Kerberos is freely available from MIT, under copyright permissions very similar those used for the BSD operating system and the X Window System.
Kerberos is very popular in US military as well as large US universities (University of Michigan is one) solve this problem using LDAP or via NIS integration with Kerberos. Microsoft has its own implementation of Kerberos (starting with Windows 2000) that has Microsoft-only extensions but still can interoperate with Unix on the level of base protocol.NIS is the standard part of the Unix so it is available on all three major commercial Unixes and linux. Kerberos v.5 also is available for all three Unixes free of charge.
This tandem proves both secure central authentication and local changing of passwords (from any server the user has account on) as well as central user management in a very secure, reliable way with minimal overhead for the base OS.
I think that this solution might be considered as it has both high reliability, multiplatform (Windows can use Kerberos as well) and can inflict minimal damage because we essentially use parts of the OS that just were not activated.
Installation needs two severs (main and backup) similar to Secure ID. Actually servers can be shared with Secure ID. In this case additional "parasitic" servers are not needed.
|
|||||||
There's a lot of talk on the Internet about security and the lack of it on UNIX systems. This is, in part, a by-product of the world of the net in which we choose to do business. We can do some things to help counteract the possibility of attack on our systems.One way to help is with Kerberos. Kerberos is an authentication and encryption scheme that allows a user to become "known" by an authenticating server and then use that authentication to access systems and services on the net. The services can then transpire in an encrypted fashion to further secure transactions occurring over the net. The philosophy behind the creation of Kerberos, and a short summary of how it works is available, but here we assume that you know what Kerberos is, and wish to implement a Kerberos domain on your network. But, we also assume that you are not a hot-shot UNIX programmer, so we intend to lead you by the hand in a step-by-step fashion through the entire process. In other words, this is our version of "Kerberos for Dummies."
Several commercial integrators provide enterprise Kerberos solutions as well as technical support and maintenance. In particular, perhaps the easiest way to install Kerberos V5 is to use Kerbnet from Cygnus solutions. Kerbnet is free and has clients for Win32 machines, Macintoshes and Unix hosts, and has KDC software for Unix and NT as well as host servers for Unix platforms.
Check out the MIT Kerberos Web Site for the latest Kerberos release news. Another good source of information is the Kerberos FAQ compiled by Ken Hornstein.
Hitmill.com - Kerberos Tutorial
[12 Sep 2002] - krb5-1.2.6 Released The krb5-1.2.6 source release is now available.
Open Directory - Computers Security Authentication Kerberos
Hitmill.com - Kerberos Tutorial (contains large number of links)
Kerberos (http://gost.isi.edu/info/kerberos/)
- What is Kerberos?
- Security Advisories -- exploitable buffer overruns exist in krb4 code
- Kerberos Releases
- Documentation for the most recent release
- Papers about the Kerberos protocol
- The MIT Kerberos Team
- Commercial Support and Products
- Other Resources
rfc1510The Kerberos Network Authentication Service (V5)
This document gives an overview and specification of Version 5 of the protocol for the Kerberos network authentication system. Version 4, described elsewhere [1,2], is presently in production use at MIT's Project Athena, and at other Internet sites.
RFC 1964
Frequently Asked Questions about Kerberos
Kerberos Users' Frequently Asked Questions 1.14
Kerberos An Authentication Service for Computer Networks by B. Clifford Neuman and Theodore Ts'o
When using authentication based on cryptography, an attacker listening to the network gains no information that would enable it to falsely claim another's identity. Kerberos is the most commonly used example of this type of authentication technology.
Modern computer systems provide service to multiple users and require the ability to accurately identify the user making a request. In traditional systems, the user's identity is verified by checking a password typed during login; the system records the identity and uses it to determine what operations may be performed. The process of verifying the user's identity is called authentication. Password based authentication is not suitable for use on computer networks. Passwords sent across the network can be intercepted and subsequently used by eavesdroppers to impersonate the user. While this vulnerability has been long known, it was recently demonstrated on a major scale with the discovery of planted password collecting programs at critical points on the Internet [4].
rs-94-412 The Evolution of the Kerberos authentication system
Kerberos-DCE, the Secure Shell, and Practical Internet Security
The Novice's Guide to Kerberos 5
Developer's Introduction to Kerberos 5
RFC 1510 - Kerberos Network Authentication System
Kerberos Papers and Documentation
Kerberos installation help How to Kerberize your site
There's a lot of talk on the Internet about security and the lack of it on UNIX systems. This is, in part, a by-product of the world of the net in which we choose to do business. We can do some things to help counteract the possibility of attack on our systems.
One way to help is with Kerberos. Kerberos is an authentication and encryption scheme that allows a user to become "known" by an authenticating server and then use that authentication to access systems and services on the net. The services can then transpire in an encrypted fashion to further secure transactions occurring over the net. The philosophy behind the creation of Kerberos, and a short summary of how it works is available, but here we assume that you know what Kerberos is, and wish to implement a Kerberos domain on your network. But, we also assume that you are not a hot-shot UNIX programmer, so we intend to lead you by the hand in a step-by-step fashion through the entire process. In other words, this is our version of "Kerberos for Dummies."
Several commercial integrators provide enterprise Kerberos solutions as well as technical support and maintenance. In particular, perhaps the easiest way to install Kerberos V5 is to use Kerbnet from Cygnus solutions. Kerbnet is free and has clients for Win32 machines, Macintoshes and Unix hosts, and has KDC software for Unix and NT as well as host servers for Unix platforms.
Check out the MIT Kerberos Web Site for the latest Kerberos release news. Another good source of information is the Kerberos FAQ compiled by Ken Hornstein.
Windows 2000 Security Kerberos Authentication -- very good compilation of resources
Windows 2000 Kerberos Authentication
Step-by-Step Guide to Kerberos 5 (krb5 1.0) Interoperability
- What is Kerberos?
- Security Advisories -- exploitable buffer overruns exist in krb4 code
- Kerberos Releases
- Documentation for the most recent release
- Papers about the Kerberos protocol
- The MIT Kerberos Team
- Commercial Support and Products
- Other Resources
Solaris: Kerberos can be used at least since Solaris 2.6. See Solaris Advanced System Administrator's Guide, Second EditionUsing Authentication Services. Solaris 10 provides several new features & improvements over previous releases in the Kerberos area. Enabling Kerberos authentication for clients is an installation option in Solaris 10. Here is what Sun tells us about Kerberos in Solaris 10:
Sun Enterprise Authentication Mechanism software (Sun's implementation of Kerberos), LDAP, and interoperability enhancements allow enterprise-wide, secure, standards-based single sign-on to servers and applications. These enhancements reduce costs by centralizing administration of system access across multiple operating systems while increasing security. New to the Solaris 10 OS are Kerberos-enabled remote applications such as rsh, rcp, telnet, and others that were previously only available via download. An example is Kerberos-enabled NFS file sharing, which provides strong authentication, data privacy, and standards-based file sharing.
[PDF] SEAM: Sun Enterprise Authentication Mechanism (Kerberos V5 for ...(Kerberos V5 for Solaris and Solaris NFS). Presentation by Mike Eisler. Sun Microsystems. mre@eng.sun.com.
- The GSS library is /usr/lib/libgss.so instead of libgssapi_krb5.so.
- All other information in the section on Configuring MIT Kerberos applies to the version of Kerberos provided with Sun Solaris.
Links
AIX. IBM have many years of experience with the technology and strong integration of it into AIX.
pSeries and AIX Information Center
Kerberos is a network authentication service that provides a means of verifying the identities of principals on physically insecure networks. Kerberos provides mutual authentication, data integrity and privacy under the realistic assumption that network traffic is vulnerable to capture, examination, and substitution.Kerberos tickets are credentials that verify your identity. There are two types of tickets: a ticket-granting ticket and a service ticket. The ticket-granting ticket is for your initial identity request. When logging into a host system, you need something that verifies your identity, such as a password or a token. After you have the ticket-granting ticket, you can then use your ticket-granting ticket to request service tickets for specific services. This two-ticket method is the called the trusted third-party of Kerberos. Your ticket-granting ticket authenticates you to the Kerberos server, and your service ticket is your secure introduction to the service.
The trusted third-party or intermediary in Kerberos is called the Key Distribution Center (KDC). The KDC issues all the Kerberos tickets to the clients.
The Kerberos database keeps a record of every principal; the record contains the name, private key, expiration date of the principal, and some administrative information about each principal. The master KDC contains the master copy of the database and passes it to slave KDCs.
This section contains the following Kerberos information:
- Secure remote commands overview
The following provides details about secure remote commands.- Authenticating to AIX using Kerberos
AIX® provides both KRB5 and KRB5A Kerberos authentication load modules. Even though both modules do Kerberos authentication, the KRB5 load module performs Kerberos principal management, whereas the KRB5A load module does not.- KRB5A authentication load module questions and troubleshooting information
This provides answers to KRB5A authentication load module questions and troubleshooting information.- Kerberos module
The Kerberos module is a kernel extension used by the NFS client and server code. It allows the NFS client and server code to process Kerberos message integrity and privacy functions without making calls to the gss daemon.
IBM Cluster information center
Configuring the AIX Kerberos Version 5 clients with a Windows 2000 ...
[PDF] Configuring AIX 5L for Kerberos Based Authentication Using Windows ...
This paper describes the use of Kerberos as an alternative authentication mechanism to AIX using Windows 2000/2003 Server Kerberos Service. Authentication applications on AIX do not require any change to alternatively perform Kerberos authentication as it is woven into the fabric of the AIX security subsystem. By utilizing the loadable identification and authentication framework of AIX, the system directs authentication requests to use Kerberos instead of standard UNIX authentication.
PAM Kerberos is one of the authentication modules that PAM can invoke based on the authentication method defined in the /etc/pam.conf PAM configuration file. If the shared, dynamically loadable PAM Kerberos library (for example, /usr/lib/security/libpam_krb5.1) is defined for the PAM authentication module, PAM Kerberos is invoked for user authentication.
Following are the PAM Kerberos features on HP-UX:
Following are the Kerberos-support features on the HP-UX 11i v1 operating system and the Kerberos-client features on the HP-UX 11.0 operating system:
PAM Kerberos v 1.12 on the HP-UX 11.0 operating system has the following features and security fixes:
PAM Kerberos v 1.24 contains the following changes:
Table 1 lists and describes the PAM Kerberos versions available on different HP-UX operating systems.
Table 1: PAM Kerberos Versions on HP-UX
| Operating System |
PAM Kerberos Version Number |
PAM Kerberos Bundle Number |
Bundle Contents |
Kerberos Client Dependency |
|---|---|---|---|---|
| HP-UX 11.0 | PAM Kerberos v 1.12 | B.11.00.16 | PAM Kerberos, KRB5-Client, and Generic Security Services Application Programming Interface (GSSAPI) products | KRB5-Client.KRB5-SHLIB |
| HP-UX 11i v1 | PAM Kerberos v 1.24 | B.11.11.14 | PAM Kerberos and Kerberos Support v1.1 | KRB5-Client.KRB5-SHLIB, KRB5-Client.KRB5-64SLIB |
| HP-UX 11i v2 | PAM Kerberos v 1.24 | C.01.24 | PAM Kerberos | KRB5-Client.KRB5-IA32SLIB, KRB5-Client.KRB5-IA64SLIB KRB5-Client.KRB5-SHLIB, KRB5-Client.KRB5-64SLIB |
| Additional product information | |||||||||||
|
|||||||||||
[PDF] hp-ux kerberos server
Using Kerberos with the HP CIFS Client
NCSA HTTPd 1.5 Howto Kerberos Authentication
CERT Advisory CA-2000-11 MIT Kerberos Vulnerable to Denial-of-Service Attacks
kerberos5 in russian
Copyright © 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.
Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.
Created: May 16, 1997; Last modified: June 05, 2008