Kerberos in an ISP environment UNIX/Win2K/Cisco
Transcription
Kerberos in an ISP environment UNIX/Win2K/Cisco
Kerberos in an ISP environment UNIX/Win2K/Cisco > Nicolas FISCHBACH [email protected] - http://www.securite.org/nico/ > Sébastien LACOSTE-SERIS [email protected] - http://www.securite.org/kaneda/ version 1.13 Agenda > Kerberos > Introduction : why did we choose Kerberos ? > Protocol and Exchanges > MIT Kerberos and Applications > Attacks > Deployment > UNIX > Cisco Routers and Switches > Win2K > Q&A © 2001 Sécurité.Org What is Kerberos ? > Kerberos is a network authentication protocol/system > Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks > Mutual authentication > Uses DES and shared keys > Trusted third party © 2001 Sécurité.Org What is Kerberos not ? > Kerberos does not provide authorization only authentication > Kerberos does not provide data encryption © 2001 Sécurité.Org Why use Kerberos ? > Secure authentication (cryptography) > No password transmission > Single Sign On > SSO is bad for security (Bruce Schneier) > Centralized authentication management > IETF Standard (RFC 1510) © 2001 Sécurité.Org Kerberos vocabulary (1) > KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys > principal : three-tuple <primary name, instance, realm> > user : login/staff@REALM > service : service/host.fqdn@REALM > primary : username or service name > instance : “qualifies” the primary (role) > realm : authentication domain © 2001 Sécurité.Org Kerberos vocabulary (2) > keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB. > client : an entity that can obtain a ticket (user or host) > service : host, ftp, krbtgt, pop, etc. > ticket : credentials (identity of a client for a particular service) > TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm. © 2001 Sécurité.Org Key Distribution Center > Responsible for maintaining master keys for all principles and issuing Kerberos tickets > Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT) > Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS) © 2001 Sécurité.Org Kerberos Protocol (1) > Kerberos Ticket Domain Principal Name Ticket Flags Encryption Key Domain Principal Name Start Time End Time Host Address Authorization Data Encrypted © 2001 Sécurité.Org Kerberos Protocol (2) > Kerberos Ticket Exchanges Key Distribution Center > Ports : kinit: kpasswd (Unix): kpasswd (Win): 88/udp 749/tdp 464/{tcp,udp} Authentication Service Ticket Granting Service et k t ic User Network Service © 2001 Sécurité.Org Kerberos Protocol (3) > Getting a Ticket Granting Ticket (1+2) > (1) TGT Request > (2) TGT (to be decrypted with the user’s password hash) Client KDC TGT Request (1) TGT (2) © 2001 Sécurité.Org Kerberos Protocol (4) > Getting and using a Service Ticket (3+4+5) > (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication KDC Client ST Request (3) ST and SK (4) ST (5) Server © 2001 Sécurité.Org Kerberos Protocol (5) > Kerberos delegation KDC Server ST Request Client TGT + ST ST and SK ST Server © 2001 Sécurité.Org Realms > A Realm is an authentication domain > one Kerberos database and a set of KDCs > Hierarchical organization (new in v5) > One or two way authentication > Cross-realm authentication > transitive cross-realm > direct between realms © 2001 Sécurité.Org Kerberos Protocol (6) > Authentication across domains KDC Client TGT Request KDC TGT ST Request ST and SK ST and SK Server © 2001 Sécurité.Org MIT distribution > Version used : 5.1 > Provides client and server > Supported platforms : UNIXes (xBSD, Linux, Solaris, AIX, HP-UX, OSF/1, ...) MacOS 10 > DNS can be used for lookups © 2001 Sécurité.Org Kerberized applications > telnet (with DES encryption) and r-commands > CVS and ksu, klogin, k* > SSH 1.2 supports Kerberos V (run at least version 1.2.30) > SSL v3.0 > Cygnus Kerbnet (NT, MAC, Unix) > samba doesn’t (related to MS extensions) © 2001 Sécurité.Org How to Kerberize an application > All applications can be adapted > Use of the GSS API > Transport the ticket within an application © 2001 Sécurité.Org NAT issues > Host address is included in the tickets > Need to add NATed IP address in the ticket > Patch for MIT Kerberos 5.1 © 2001 Sécurité.Org Attacks against Kerberos (1) > Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz) > Replay attacks : detected (C+S are time synchronized) > Exposed keys : keys have a limited lifetime but are multi-session keys > Temporary file vulnerability : run krb5-1.2.1+ © 2001 Sécurité.Org Attacks against Kerberos (2) > Passwords guessing : use a good passphrase > Trojaned clients : OTP > Implicit trust between realms > Ticket forwarding > Others : KDC, shared workstations, ... © 2001 Sécurité.Org *NIX clients > RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14 > Solaris/OpenBSD only provide Kerberos IV © 2001 Sécurité.Org Kerberos V on *NIX clients (1) > Authentication managed by Kerberos API > Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like) > PAM alternatives © 2001 Sécurité.Org Kerberos V on *NIX clients (2) > Kerberized Telnet : available > Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > OpenSSH (as of 2.5.1) doesn’t yet support Kerberos V : http://www.sxw.org.uk/computing/patches/ © 2001 Sécurité.Org Kerberos V on Cisco equipment (1) > Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined) > Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support) © 2001 Sécurité.Org Kerberos V on Cisco equipment (2) > IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements : Hardware IOS RAM / Flash 26xx 12.0 32 / 8 12.1 48 / 16 72xx 12.0 64 / 16 12.1 64 / 16 Hint: always check with the Cisco IOS Feature Navigator © 2001 Sécurité.Org Kerberos V on Cisco equipment (3) > Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH kerberos srvtab entry host/[email protected] ... kerberos server COLT.CH 192.168.0.14 kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server 192.168.0.126 © 2001 Sécurité.Org Kerberos V on Cisco equipment (4) > CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x > Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements : Hardware CatOs 4000 5.2+ 6.1 6000 5.4+ 6.1 Memory 64 64 64 64 (SE1) Hint: always check the Release Notes © 2001 Sécurité.Org Kerberos V on Cisco equipment (5) > Switch Configuration : #kerberos set kerberos local-realm COLT.CH set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH 192.168.0.82 88 set kerberos srvtab entry host/[email protected] ... #authentication set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary #ntp set ntp client enable set ntp server 192.168.0.11 © 2001 Sécurité.Org Kerberos V on Win2K stations (1) > Provides Kerberos authentication for interactive logons > The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority) > Ticket cache is provided by the LSA > Telnetd supports Kerberos © 2001 Sécurité.Org Kerberos V on Win2K stations (2) > Support Tools > Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser [email protected] localuser ksetup /mapuser * * > Windows Time Server (+ registry) > No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org That’s all folks :-) > Latest version, goodies and additional information < http://www.securite.org/presentations/krb5/ > > Q&A Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html © 2001 Sécurité.Org