|
Size: 8883
Comment:
|
← Revision 16 as of 2008-10-30 11:40:12 ⇥
Size: 8956
Comment: converted to 1.6 markup
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 2: | Line 2: |
| [[TableOfContents]] | <<TableOfContents>> |
| Line 10: | Line 10: |
| * pam_krb5 on [http://sourceforge.net/projects/pam-krb5/ Sourceforge]: the best Kerberos5 pam module I've found so far. Unfortunately it has been unmaintained since 2003. Here are some of its features: | * pam_krb5 on [[http://sourceforge.net/projects/pam-krb5/|Sourceforge]]: the best Kerberos5 pam module I've found so far. Unfortunately it has been unmaintained since 2003. Here are some of its features: |
| Line 16: | Line 16: |
| * [ftp://achilles.ctd.anl.gov/pub/DEE/ pam_afs] by Douglas E. Engert: This module is needed to generate AFS tokens out of forwarded Kerberos5 tickets with older openssh servers. | * [[ftp://achilles.ctd.anl.gov/pub/DEE/|pam_afs]] by Douglas E. Engert: This module is needed to generate AFS tokens out of forwarded Kerberos5 tickets with older openssh servers. |
| Line 30: | Line 30: |
| Defined in [http://www.ietf.org/rfc/rfc4120.txt RFC4120], API defined in [http://www.ietf.org/rfc/rfc4121.txt RFC4121] | Defined in [[http://www.ietf.org/rfc/rfc4120.txt|RFC4120]], API defined in [[http://www.ietf.org/rfc/rfc4121.txt|RFC4121]] |
| Line 35: | Line 35: |
| * BNL (Oct 04) [http://www.rhic.bnl.gov/hepix/talks/041018pm/fasanelli.pdf E.Fasanelli: INFN K5 project] * Edinburgh (May 04) [http://hepwww.rl.ac.uk/hepix/nesc/friebel.ppt W.Friebel: AFS file space administration with ARC version 2] * TRIUMF (Oct 03) [http://www.triumf.ca/hepix2003/pres/21-13/efasanelli/ E.Fasanelli: AFS cross cell authentication using Kerberos5] * NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/friebel4.ppt W.Friebel: Kerberos5 at DESY] * INFN (Apr 02) [http://www.ts.infn.it/events//hepix2002/talks/efasanelli1.ppt E.Fasanelli: W2K integration in the Kerberos 5 based AFS cell] * INFN (Apr 02) [http://www.ts.infn.it/events/hepix2002/talks/lgiacchetti2.ppt L.Giachetti: Who Let The Dog(s) In ?] (update on strong authentication at FNAL) * LAL (Apr 01) [http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Thursday/Skow-FNAL-Security D.Skow: Strong Authentication Report at FNAL] * LAL (Apr 01) [http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Tuesday/Kaletka-W2000-Kerberos.ppt M.Kaletka: W2000 Kerberos Experience] |
* BNL (Oct 04) [[http://www.rhic.bnl.gov/hepix/talks/041018pm/fasanelli.pdf|E.Fasanelli: INFN K5 project]] * Edinburgh (May 04) [[http://hepwww.rl.ac.uk/hepix/nesc/friebel.ppt|W.Friebel: AFS file space administration with ARC version 2]] * TRIUMF (Oct 03) [[http://www.triumf.ca/hepix2003/pres/21-13/efasanelli/|E.Fasanelli: AFS cross cell authentication using Kerberos5]] * NIKHEF (May 03) [[http://www.nikhef.nl/hepix/pres/friebel4.ppt|W.Friebel: Kerberos5 at DESY]] * INFN (Apr 02) [[http://www.ts.infn.it/events//hepix2002/talks/efasanelli1.ppt|E.Fasanelli: W2K integration in the Kerberos 5 based AFS cell]] * INFN (Apr 02) [[http://www.ts.infn.it/events/hepix2002/talks/lgiacchetti2.ppt|L.Giachetti: Who Let The Dog(s) In ?]] (update on strong authentication at FNAL) * LAL (Apr 01) [[http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Thursday/Skow-FNAL-Security|D.Skow: Strong Authentication Report at FNAL]] * LAL (Apr 01) [[http://events.lal.in2p3.fr/conferences/HEPIX/presentations/Tuesday/Kaletka-W2000-Kerberos.ppt|M.Kaletka: W2000 Kerberos Experience]] |
| Line 45: | Line 45: |
| * (Feb 05) [http://www.fnal.gov/docs/strongauth/ Strong Authentication at Fermilab] | * (Feb 05) [[http://www.fnal.gov/docs/strongauth/|Strong Authentication at Fermilab]] |
| Line 53: | Line 53: |
| * Batchsystems: [:SGEwithAFS: SunGridEngine], LSF | * Batchsystems: [[SGEwithAFS| SunGridEngine]], LSF |
| Line 55: | Line 55: |
| * Libraries: PAM, GSSAPI ([http://www.ietf.org/rfc/rfc1508.txt version 1] and [http://www.ietf.org/rfc/rfc2743.txt version2]), [http://www.ietf.org/rfc/rfc2222.txt SASL], perl Modules(Authen-SASL, Authen-Krb5) | * Libraries: PAM, GSSAPI ([[http://www.ietf.org/rfc/rfc1508.txt|version 1]] and [[http://www.ietf.org/rfc/rfc2743.txt|version2]]), [[http://www.ietf.org/rfc/rfc2222.txt|SASL]], perl Modules(Authen-SASL, Authen-Krb5) |
| Line 62: | Line 62: |
| * Migration from a kaserver based AFS cell to a Kerberos5 based cell is facilitated by [ftp://ftp.ifh.de/pub/unix/kerberos/heimdalsync heimdalsync] (DESY) * Setup of a Kerberos 5 realm from scratch (Heimdal), fill it with AFS db data: [ftp://ftp.ifh.de/pub/unix/kerberos/krb5setuphd krb5setuphd] (DESY) * Patched perl module [ftp://ftp.ifh.de/pub/unix/kerberos/Heimdal-Kadm5-0.2-perl5.8.tar.gz Heimdal::Kadm5] for perl 5.8 (DESY) * Enhanced Perl Module for SASL server side support [http://www.wi-bw.tfh-wildau.de/~pboettch/home/index.php?site=asc Authen::SASL::Cyrus] (DESY) |
* Migration from a kaserver based AFS cell to a Kerberos5 based cell is facilitated by [[ftp://ftp.ifh.de/pub/unix/kerberos/heimdalsync|heimdalsync]] (DESY) * Setup of a Kerberos 5 realm from scratch (Heimdal), fill it with AFS db data: [[ftp://ftp.ifh.de/pub/unix/kerberos/krb5setuphd|krb5setuphd]] (DESY) * Patched perl module [[ftp://ftp.ifh.de/pub/unix/kerberos/Heimdal-Kadm5-0.2-perl5.8.tar.gz|Heimdal::Kadm5]] for perl 5.8 (DESY) * Enhanced Perl Module for SASL server side support [[http://www.wi-bw.tfh-wildau.de/~pboettch/home/index.php?site=asc|Authen::SASL::Cyrus]] (DESY) |
| Line 67: | Line 67: |
| * Generic Client/Server solution for Kerberos5 authentication [ftp://ftp.ifh.de/pub/unix/gnu/perl/modules/ARCv2-1.05.tar.gz arcx/arcxd] with [ftp://ftp.ifh.de/pub/unix/gnu/perl/modules/ plugins] for batch system support and AFS related services (DESY) | * Generic Client/Server solution for Kerberos5 authentication [[ftp://ftp.ifh.de/pub/unix/gnu/perl/modules/ARCv2-1.05.tar.gz|arcx/arcxd]] with [[ftp://ftp.ifh.de/pub/unix/gnu/perl/modules/|plugins]] for batch system support and AFS related services (DESY) |
| Line 80: | Line 80: |
| * Libraries: [http://www.openssl.org/ OpenSSL] * Toolkits: [http://www.globus.org/toolkit/ Globus Toolkit] |
* Libraries: [[http://www.openssl.org/|OpenSSL]] * Toolkits: [[http://www.globus.org/toolkit/|Globus Toolkit]] |
| Line 84: | Line 84: |
| * Triumf (Oct 03) [http://www.triumf.ca/hepix2003/pres/23-06/apace/ A.Pace: An introduction to PKI and a few deployment hints] * NIKHEF (May 03) [http://www.nikhef.nl/hepix/pres/groep.ppt D.Groep: Grid security and site authorization in EDG] |
* Triumf (Oct 03) [[http://www.triumf.ca/hepix2003/pres/23-06/apace/|A.Pace: An introduction to PKI and a few deployment hints]] * NIKHEF (May 03) [[http://www.nikhef.nl/hepix/pres/groep.ppt|D.Groep: Grid security and site authorization in EDG]] |
| Line 87: | Line 87: |
| * A. Pace: 2004 Cern school of computing [http://csc.web.cern.ch/CSC/2004/This_year_school/Programme/Handouts_PDF_Files/grid_intro_pki_updt.pdf An Introduction to Public Key Infrastructure] | * A. Pace: 2004 Cern school of computing [[http://csc.web.cern.ch/CSC/2004/This_year_school/Programme/Handouts_PDF_Files/grid_intro_pki_updt.pdf|An Introduction to Public Key Infrastructure]] |
| Line 92: | Line 92: |
| * Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php Jens Jensen: Single sign-on at RAL] * Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php Alberto Pace: Integrating Grid Certificates and Kerberos Authentication services] * SLAC (Oct 05) [http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/aparicio.ppt R.G.Aparicio: Progress report in CERN Certification authority deployment and Single Sign On with Certificates] * SLAC (Oct 05) [http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/gordon.ppt J.Gordon: RAL Progress in Single Sign On] * Karlsruhe (May 05) [http://hepix.fzk.de/upload/lectures/2005-04-29%20SSO-Hepix.ppt E.Ormancy, A.Pace: Cross platform single-sign-on using client certificates] |
* Roma (Apr 06) [[http://hepix.caspur.it/spring2006/agenda.php|Jens Jensen: Single sign-on at RAL]] * Roma (Apr 06) [[http://hepix.caspur.it/spring2006/agenda.php|Alberto Pace: Integrating Grid Certificates and Kerberos Authentication services]] * SLAC (Oct 05) [[http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/aparicio.ppt|R.G.Aparicio: Progress report in CERN Certification authority deployment and Single Sign On with Certificates]] * SLAC (Oct 05) [[http://www.slac.stanford.edu/conf/hepix05/talks/tuesday/gordon.ppt|J.Gordon: RAL Progress in Single Sign On]] * Karlsruhe (May 05) [[http://hepix.fzk.de/upload/lectures/2005-04-29%20SSO-Hepix.ppt|E.Ormancy, A.Pace: Cross platform single-sign-on using client certificates]] |
| Line 98: | Line 98: |
| There is also a report on using [http://www.wi-bw.tfh-wildau.de/~pboettch/home/sso/ SSO at the TFH Wildau] (in german) which is using Kerberos on UNIX and a trust relationship with the realm on Windows (tested also at DESY) and a [http://www-zeuthen.desy.de/~ahaupt/downloads/OpenAFS-Heimdal-Integration.pdf diploma thesis] that describes the migration from OpenAFS kaserver authentication to Heimdal Kerberos5 | There is also a report on using [[http://www.wi-bw.tfh-wildau.de/~pboettch/home/sso/|SSO at the TFH Wildau]] (in german) which is using Kerberos on UNIX and a trust relationship with the realm on Windows (tested also at DESY) and a [[http://www-zeuthen.desy.de/~ahaupt/downloads/OpenAFS-Heimdal-Integration.pdf|diploma thesis]] that describes the migration from OpenAFS kaserver authentication to Heimdal Kerberos5 |
| Line 102: | Line 102: |
| * Roma (Apr 06) [http://hepix.caspur.it/spring2006/agenda.php R.Petkus: One-time-password integration at BNL] | * Roma (Apr 06) [[http://hepix.caspur.it/spring2006/agenda.php|R.Petkus: One-time-password integration at BNL]] |
| Line 104: | Line 104: |
| * Karlsruhe (May 05) [http://hepix.fzk.de/upload/lectures/DESY-jahnke-zumbusch-HEPiX2005.pdf D.Jahnke: DESY-Registry -- cross-platform user administration] * BNL (Oct 04) [http://www.rhic.bnl.gov/hepix/talks/041018pm/corosu.ppt M.Corosu: INFN TRIP Project] (authenticated WLAN access) |
* Karlsruhe (May 05) [[http://hepix.fzk.de/upload/lectures/DESY-jahnke-zumbusch-HEPiX2005.pdf|D.Jahnke: DESY-Registry -- cross-platform user administration]] * BNL (Oct 04) [[http://www.rhic.bnl.gov/hepix/talks/041018pm/corosu.ppt|M.Corosu: INFN TRIP Project]] (authenticated WLAN access) |
Authentication technologies
Contents
Generic authentication frameworks
PAM
PAM (Pluggable Authentication Modules) is a generic authentication infrastructure for the most common Unix like operating systems (Linux, Solaris, ...). It is used to authenticate accounts locally. There is a huge amount of different modules for various purposes existing.
- Kerberos5:
pam_krb5 on Sourceforge: the best Kerberos5 pam module I've found so far. Unfortunately it has been unmaintained since 2003. Here are some of its features:
- full AFS support, including AFS token generation out of a forwarded Kerberos5 tickets (by e.g. openssh)
- renewal/refreshing of tickets/tokens with pam aware desktop lockers (xscreensaver, kdesktop_lock)
RedHat's pam_krb5 includes the following features:
- rudimentary AFS support (AFS token generation after password authentication) - no support for token generation out of forwarded K5 tickets. That's no problem for newer openssh versions, though (token generation built in).
- ticket/token refreshing with screensavers should work as well.
pam_afs by Douglas E. Engert: This module is needed to generate AFS tokens out of forwarded Kerberos5 tickets with older openssh servers.
SASL
SASL (Simple Authentication and Security Layer) is a generic authentication infrastructure for client / server connections. There are many plugins existing for various authentication techniques such as password (cleartext, md5 hash), Kerberos5 (using GSSAPI) and others.
Authentication using symmetric key cryptography
Key for encryption and decryption is the same (or easily derived from the other key). Needs a third party to establish a trust relation. In High energy Physics (HEP) Kerberos4 and Kerberos5 are used. Kerberos4 has security flaws and is largely replaced by Kerberos5.
Kerberos5
Defined in RFC4120, API defined in RFC4121
Currently implemented in 3 major variants: MIT Kerberos, Heimdal Kerberos, Windows Kerberos
Talks at HEPiX meetings related to Kerberos
BNL (Oct 04) E.Fasanelli: INFN K5 project
Edinburgh (May 04) W.Friebel: AFS file space administration with ARC version 2
TRIUMF (Oct 03) E.Fasanelli: AFS cross cell authentication using Kerberos5
NIKHEF (May 03) W.Friebel: Kerberos5 at DESY
INFN (Apr 02) E.Fasanelli: W2K integration in the Kerberos 5 based AFS cell
INFN (Apr 02) L.Giachetti: Who Let The Dog(s) In ? (update on strong authentication at FNAL)
LAL (Apr 01) D.Skow: Strong Authentication Report at FNAL
LAL (Apr 01) M.Kaletka: W2000 Kerberos Experience
See also the FNAL solution:
(Feb 05) Strong Authentication at Fermilab
Software with Kerberos Support
Usually the software mentioned below does not come with Kerberos support by default, configuration or recompilation is required in most cases.
- Webserver: IIS, Apache (so called Simple and Protected GSSAPI Negotiation Mechanism (SPNEGO) support)
- Webclients: Internet Explorer, Mozilla, Firefox
- Mailserver: Cyrus-IMAP, UW-IMAP
- Mailclients: pine, Mozilla, Thunderbird
Batchsystems: SunGridEngine, LSF
- Filesystems: AFS, NFSv4
Libraries: PAM, GSSAPI (version 1 and version2), SASL, perl Modules(Authen-SASL, Authen-Krb5)
- Protocols: LDAP, IMAP, SMTP (via SASL) Socks5
- Client/Server programs: openssh, telnet, ftp, su, arc, arcx
Other UNIX software is or could be made Kerberos5 aware by using the SASL or GSS API.
Software contributions from the HEP community
Migration from a kaserver based AFS cell to a Kerberos5 based cell is facilitated by heimdalsync (DESY)
Setup of a Kerberos 5 realm from scratch (Heimdal), fill it with AFS db data: krb5setuphd (DESY)
Patched perl module Heimdal::Kadm5 for perl 5.8 (DESY)
Enhanced Perl Module for SASL server side support Authen::SASL::Cyrus (DESY)
- Generic Client/Server solution for AFS authentication: arc/arcd by Rainer Toebbicke (CERN)
Generic Client/Server solution for Kerberos5 authentication arcx/arcxd with plugins for batch system support and AFS related services (DESY)
Authentication using public key infrastructure
Public key cryptography is an assymetric key method. It uses a pair of keys, called public and private key. The public key is intended for distribution, while the private key needs to be kept secret. Both keys are connected through a mathematical relation, which is highly asymmetric in terms of computational effort to derive one key from the other.
Knowing the public key it should be practically impossible to derive the private key.
In order to verify that a public key is associated with the real issuer, a Public Key Infrastructure (PKI) is installed. In most practical cases within HEP the keys used are so called X.509 Certificates. The verification of these certificates is done trough a hierarchy of trusted third parties, called Certification Authorities (CA).
The various deployed grid solutions (e.g. LCG) all use authentification with certificates
Software that is using Certificates
Libraries: OpenSSL
Toolkits: Globus Toolkit
Talks at HEPiX meetings related to authentication using certificates
Triumf (Oct 03) A.Pace: An introduction to PKI and a few deployment hints
NIKHEF (May 03) D.Groep: Grid security and site authorization in EDG
For other talks on this subject see also "Talks at HEPiX meetings related to Single Sign On" below and
A. Pace: 2004 Cern school of computing An Introduction to Public Key Infrastructure
Single Sign On
Talks at HEPiX meetings related to Single Sign On
Roma (Apr 06) Jens Jensen: Single sign-on at RAL
Roma (Apr 06) Alberto Pace: Integrating Grid Certificates and Kerberos Authentication services
SLAC (Oct 05) R.G.Aparicio: Progress report in CERN Certification authority deployment and Single Sign On with Certificates
SLAC (Oct 05) J.Gordon: RAL Progress in Single Sign On
Karlsruhe (May 05) E.Ormancy, A.Pace: Cross platform single-sign-on using client certificates
There is also a report on using SSO at the TFH Wildau (in german) which is using Kerberos on UNIX and a trust relationship with the realm on Windows (tested also at DESY) and a diploma thesis that describes the migration from OpenAFS kaserver authentication to Heimdal Kerberos5
Other topics
One time passwords
Roma (Apr 06) R.Petkus: One-time-password integration at BNL
Synchronisation of passwords across platforms
Karlsruhe (May 05) D.Jahnke: DESY-Registry -- cross-platform user administration
BNL (Oct 04) M.Corosu: INFN TRIP Project (authenticated WLAN access)