[38427] in Kerberos
Re: Kerberos n00b question.
daemon@ATHENA.MIT.EDU (Grant Taylor)
Mon Jan 7 20:03:50 2019
To: kerberos@mit.edu
From: Grant Taylor <gtaylor@tnetconsulting.net>
Message-ID: <eb5f2ecd-67f9-b04b-9b2d-2cf91c302aa6@spamtrap.tnetconsulting.net>
Date: Mon, 7 Jan 2019 18:03:34 -0700
MIME-Version: 1.0
In-Reply-To: <jlgk1jge0kf.fsf@redhat.com>
Content-Type: multipart/mixed; boundary="===============2920823981413585333=="
Errors-To: kerberos-bounces@mit.edu
This is a cryptographically signed message in MIME format.
--===============2920823981413585333==
Content-Type: multipart/signed; protocol="application/pkcs7-signature";
micalg=sha-256; boundary="------------ms010506070206070505080708"
This is a cryptographically signed message in MIME format.
--------------ms010506070206070505080708
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: quoted-printable
On 01/07/2019 12:21 PM, Robbie Harwood wrote:
> Always. But like any security system, you have to set it up right.
Yep.
I'm trying to gain a working foundation of Kerberos to try to avoid=20
doing blatantly bad things. I'm also looking to find more information=20
and learn.
> No, communication isn't in the clear. It may provide some intuition=20
> of what Kerberos communicates (though is no longer entirely technically=
=20
> accurate) to look at https://web.mit.edu/Kerberos/www/dialogue.html
Interesting read.
I watched a few videos about Kerberos over the holidays.
1) Link - Basic Kerberos Authentication
- https://www.youtube.com/watch?v=3Du7MQoSN19O4
2) Link - Kerberos Delegation and Protocol Transition
- https://www.youtube.com/watch?v=3DUGWP4ewxcTA
3) Link - Kerberos Authentication on BIG-IP APM
- https://www.youtube.com/watch?v=3DNDFJ7m8iaPA
4) Link - 6.858 Fall 2014 Lecture 13: Kerberos
- https://www.youtube.com/watch?v=3DbcWxLl8x33c
#4 is an 80 minute lecture from MIT. I found it and #1 to be quite=20
informative about where packets flow between.
> The biggest concern in a new Kerberos deployment is secrets being=20
> based on passwords. To varying degrees, this reduces the strength of=20
> the system as a whole to the strength of the passwords.
Yep.
I suspect the -randkey option when adding a principal is significantly=20
better than a password.
I wonder if there is any possibility of users using a random key that is =
password protected. Thus using the password unlocking the random key=20
that is used to secure communications. - I suspect that would make=20
keys used for users as secure as -randkey for services, at least as far=20
as brute forcing things. Of course you would need to protect the=20
encrypted key. But that's a different issue.
> In the system proposed in the dialogue above, for instance,=20
> it's possible to observe an exchange and mount an offline=20
> dictionary attack against it. More information on=20
> mitigating that (which isn't too hard) can be found here:=20
> https://web.mit.edu/kerberos/krb5-devel/doc/admin/dictionary.html#dicti=
onary
That's an interesting read.
I wonder if I should recreate my user principals (the few that exist in=20
my test REALM) using "+requires_preauth -allow_svr".
I'll do some more reading on the other defenses / mitigations listed.=20
You might have seen the exchange with Russ A. about FAST.
More reading. More to learn.
> See above.
Sorry, I can't translate that to what your opinion is about using=20
Kerberos between a LAN client (with a local KDC) and a web server across =
the Internet. (Thus the client <-> KDC interaction is on the LAN.)
I'll need to re-read dialogue to track what communications is happening=20
between what entities.
I'm trying to build a mental model / working understanding of what=20
communications between KDC <-> client <-> server is sensitive and what=20
is okay to send across the Internet. I /think/ that client <-> server=20
is okay as part of SSH. - I'm trying to understand if the client <->=20
server is okay on it's own, or if it's also relying on security offered=20
by SSH. Mainly so that I can judge how safe it is to use for other=20
protocols between the client and server (with or without other encryption=
).
I think the biggest issue is that I need to get the keytab to the server =
in a secure manner. I would expect that something like scp / sftp would =
suffice.
> It's worth mentioning that there are turnkey solutions for configuring =
> entire identity management systems (i.e., including Kerberos) now.=20
> For instance, we develop FreeIPA ( https://www.freeipa.org/ ), which=20
> will mitigate these threats by default.
I was vaguely aware of FreeIPA. (I think) I now know more about=20
FreeIPA. FreeIPA seems to be a purpose built Linux distribution that=20
incorporates the technologies listed under Main features section of the=20
link you provided.
I feel like FreeIPA is analogous to a Lego set that produces one=20
particular structure using the aforementioned technologies as some of=20
the Lego bricks. - I personally want to learn how to use the Lego=20
bricks within my existing structures. I've already got LDAP, Kerberos,=20
NTP, DNS, and SSSD working (to my satisfaction). So I'm reluctant to=20
throw those integrated things out and introduce a new turn key=20
appliance, namely a FreeIPA (V)M.
I do want to do some more looking at the Dogtag certificate system to=20
see how it is used and how it integrates with Kerberos.
Thank you for the detailed reply Robbie.
--=20
Grant. . . .
unix || die
--------------ms010506070206070505080708
Content-Type: application/pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIAGCSqGSIb3DQEHAqCAMIACAQExDzANBglghkgBZQMEAgEFADCABgkqhkiG9w0BBwEAAKCC
Cy4wggVAMIIEKKADAgECAhEA01fiRe1k2R6LEQCcImIMYTANBgkqhkiG9w0BAQsFADCBlzEL
MAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2Fs
Zm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBSU0Eg
Q2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwHhcNMTgxMTE4MDAw
MDAwWhcNMTkxMTE4MjM1OTU5WjArMSkwJwYJKoZIhvcNAQkBFhpndGF5bG9yQHRuZXRjb25z
dWx0aW5nLm5ldDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANgOhvncDgc4KAlD
+pyhFpw6wCfeERlSOAXowjdTjlOR2zcIgzL0TM9A+hkSv2wsVh6fn6VvHGxKrLemReiGd7fQ
15Y9J/pxKOmShkw9DDtFsa18ozydp95X2IuzY8Z2JukxouqrfpSH4fOrrHLkOgvlFG4xaQHW
0KB8xUP5DFWyyZM5QCdq278GSJ5pUd+B6qmzwHESNF6syyvgLppXkFatLTz8pWf6eEngDA0Y
3fQ3Q2gnbgpryRhVQMa1GjQJ7LDroUGQhX2zBWePW+sShiTwo8jADYKsbgSGtvZ/42A8zxyg
s9YZMHQoCeeuLNuX/MBp9rCTl5nlzP3jGWQTC5ECAwEAAaOCAfAwggHsMB8GA1UdIwQYMBaA
FIKvbIz4xf6WYXzoHz0rcUhexIvAMB0GA1UdDgQWBBQg2PeEKxHWd4FaHe0T+gqAOWkC1jAO
BgNVHQ8BAf8EBAMCBaAwDAYDVR0TAQH/BAIwADAgBgNVHSUEGTAXBggrBgEFBQcDBAYLKwYB
BAGyMQEDBQIwEQYJYIZIAYb4QgEBBAQDAgUgMEYGA1UdIAQ/MD0wOwYMKwYBBAGyMQECAQEB
MCswKQYIKwYBBQUHAgEWHWh0dHBzOi8vc2VjdXJlLmNvbW9kby5uZXQvQ1BTMFoGA1UdHwRT
MFEwT6BNoEuGSWh0dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNsaWVudEF1dGhl
bnRpY2F0aW9uYW5kU2VjdXJlRW1haWxDQS5jcmwwgYsGCCsGAQUFBwEBBH8wfTBVBggrBgEF
BQcwAoZJaHR0cDovL2NydC5jb21vZG9jYS5jb20vQ09NT0RPUlNBQ2xpZW50QXV0aGVudGlj
YXRpb25hbmRTZWN1cmVFbWFpbENBLmNydDAkBggrBgEFBQcwAYYYaHR0cDovL29jc3AuY29t
b2RvY2EuY29tMCUGA1UdEQQeMByBGmd0YXlsb3JAdG5ldGNvbnN1bHRpbmcubmV0MA0GCSqG
SIb3DQEBCwUAA4IBAQCPxlHHG57PA5GUYlQuC8VHB7TcMQeEJKnB/S+bamyrck4vpIEaF9rG
EM+OnAQsJzSkSVHD2707jxh1ng0jrsH2+F9qNGTpCksXo0fMqm4tf28Ag092+CZ5sfdjVZ4E
ELG4xNhFZF9/aFaAY7RIeJ89Vvn6s6BnKsaAPjVB/sO+5gIm0BIeoVauq71ue6jS7o2Jn94o
BuAhjuh34gk/Wxzcku96MLmEwCY63GWWKVRYbqrDhqROmnQPdyrDYrU8uD0vb4SAdpSKfRqO
DrerlQgX3euyYqcnVJSA8Ec+NdiJrGKXW76C7DrTi7IxDgjIHL+DPyFgtj+p6wYOEkYJwKtp
MIIF5jCCA86gAwIBAgIQapvhODv/K2ufAdXZuKdSVjANBgkqhkiG9w0BAQwFADCBhTELMAkG
A1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9y
ZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxKzApBgNVBAMTIkNPTU9ETyBSU0EgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTMwMTEwMDAwMDAwWhcNMjgwMTA5MjM1OTU5WjCB
lzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFuY2hlc3RlcjEQMA4GA1UEBxMH
U2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQxPTA7BgNVBAMTNENPTU9ETyBS
U0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUgRW1haWwgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQC+s55XrCh2dUAWxzgDmNPGGHYhUPMleQtMtaDRfTpY
PpynMS6n9jR22YRq2tA9NEjk6vW7rN/5sYFLIP1of3l0NKZ6fLWfF2VgJ5cijKYy/qlAckY1
wgOkUMgzKlWlVJGyK+UlNEQ1/5ErCsHq9x9aU/x1KwTdF/LCrT03Rl/FwFrf1XTCwa2QZYL5
5AqLPikFlgqOtzk06kb2qvGlnHJvijjI03BOrNpo+kZGpcHsgyO1/u1OZTaOo8wvEU17VVeP
1cHWse9tGKTDyUGg2hJZjrqck39UIm/nKbpDSZ0JsMoIw/JtOOg0JC56VzQgBo7ictReTQE5
LFLG3yQK+xS1AgMBAAGjggE8MIIBODAfBgNVHSMEGDAWgBS7r34CPfqm8TyEjq3uOJjs2TIy
1DAdBgNVHQ4EFgQUgq9sjPjF/pZhfOgfPStxSF7Ei8AwDgYDVR0PAQH/BAQDAgGGMBIGA1Ud
EwEB/wQIMAYBAf8CAQAwEQYDVR0gBAowCDAGBgRVHSAAMEwGA1UdHwRFMEMwQaA/oD2GO2h0
dHA6Ly9jcmwuY29tb2RvY2EuY29tL0NPTU9ET1JTQUNlcnRpZmljYXRpb25BdXRob3JpdHku
Y3JsMHEGCCsGAQUFBwEBBGUwYzA7BggrBgEFBQcwAoYvaHR0cDovL2NydC5jb21vZG9jYS5j
b20vQ09NT0RPUlNBQWRkVHJ1c3RDQS5jcnQwJAYIKwYBBQUHMAGGGGh0dHA6Ly9vY3NwLmNv
bW9kb2NhLmNvbTANBgkqhkiG9w0BAQwFAAOCAgEAeFyygSg0TzzuX1bOn5dW7I+iaxf28/ZJ
CAbU2C81zd9A/tNx4+jsQgwRGiHjZrAYayZrrm78hOx7aEpkfNPQIHGG6Fvq3EzWf/Lvx7/h
k6zSPwIal9v5IkDcZoFD7f3iT7PdkHJY9B51csvU50rxpEg1OyOT8fk2zvvPBuM4qQNqbGWl
nhMpIMwpWZT89RY0wpJO+2V6eXEGGHsROs3njeP9DqqqAJaBa4wBeKOdGCWn1/Jp2oY6dyNm
NppI4ZNMUH4Tam85S1j6E95u4+1Nuru84OrMIzqvISE2HN/56ebTOWlcrurffade2022O/tU
U1gb4jfWCcyvB8czm12FgX/y/lRjmDbEA08QJNB2729Y+io1IYO3ztveBdvUCIYZojTq/OCR
6MvnzS6X72HP0PRLRTiOSEmIDsS5N5w/8IW1Hva5hEFy6fDAfd9yI+O+IMMAj1KcL/Zo9jzJ
16HO5m60ttl1Enk8MQkz/W3JlHaeI5iKFn4UJu1/cP2YHXYPiWf2JyBzsLBrGk1II+3yL8ao
rYew6CQvdVifC3HtwlSam9V1niiCfOBe2C12TdKGu05LWIA3ZkFcWJGaNXOZ6Ggyh/TqvXG5
v7zmEVDNXFnHn9tFpMpOUvxhcsjycBtH0dZ0WrNw6gH+HF8TIhCnH3+zzWuDN0Rk6h9KVkfK
ehIxggQ4MIIENAIBATCBrTCBlzELMAkGA1UEBhMCR0IxGzAZBgNVBAgTEkdyZWF0ZXIgTWFu
Y2hlc3RlcjEQMA4GA1UEBxMHU2FsZm9yZDEaMBgGA1UEChMRQ09NT0RPIENBIExpbWl0ZWQx
PTA7BgNVBAMTNENPTU9ETyBSU0EgQ2xpZW50IEF1dGhlbnRpY2F0aW9uIGFuZCBTZWN1cmUg
RW1haWwgQ0ECEQDTV+JF7WTZHosRAJwiYgxhMA0GCWCGSAFlAwQCAQUAoIICWzAYBgkqhkiG
9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0xOTAxMDgwMTAzMzRaMC8GCSqG
SIb3DQEJBDEiBCDLKXE7vMfpROrEAgKdKKWIE/17K+qVCsrbKI9F/uO1eDBsBgkqhkiG9w0B
CQ8xXzBdMAsGCWCGSAFlAwQBKjALBglghkgBZQMEAQIwCgYIKoZIhvcNAwcwDgYIKoZIhvcN
AwICAgCAMA0GCCqGSIb3DQMCAgFAMAcGBSsOAwIHMA0GCCqGSIb3DQMCAgEoMIG+BgkrBgEE
AYI3EAQxgbAwga0wgZcxCzAJBgNVBAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0
ZXIxEDAOBgNVBAcTB1NhbGZvcmQxGjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYD
VQQDEzRDT01PRE8gUlNBIENsaWVudCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWls
IENBAhEA01fiRe1k2R6LEQCcImIMYTCBwAYLKoZIhvcNAQkQAgsxgbCgga0wgZcxCzAJBgNV
BAYTAkdCMRswGQYDVQQIExJHcmVhdGVyIE1hbmNoZXN0ZXIxEDAOBgNVBAcTB1NhbGZvcmQx
GjAYBgNVBAoTEUNPTU9ETyBDQSBMaW1pdGVkMT0wOwYDVQQDEzRDT01PRE8gUlNBIENsaWVu
dCBBdXRoZW50aWNhdGlvbiBhbmQgU2VjdXJlIEVtYWlsIENBAhEA01fiRe1k2R6LEQCcImIM
YTANBgkqhkiG9w0BAQEFAASCAQADDiiTPt3cm9x2w2ICL8DhMp7iG21opPVfwSLmRS13OrTk
OUwXEHn+Irkm3ktZml8jXtuIaTqPxuxuDdXgyfc5b79daNZAHC5j7X+1fFJY83S1yLbVQp+i
YHEDE+YSln3z85JQ2dDcvUGFyN2ly7dpZQ85BKLgS8QasSCHd3Bxvz0+Ipet27uR0eoltKDZ
AqbnwM1KCfstjbTH0gOwPzbWrQK13rGd4cAc2bDw8kePaH560qUKk/epYP5QVbZcabgOCyoZ
xouUGjklK5eH7O9NIUxsIQGy5dChC+pCm+DkHs5edMolLl1D9L+V9URjoo7pFznXxR2thM6k
80U8jjvwAAAAAAAA
--------------ms010506070206070505080708--
--===============2920823981413585333==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
--===============2920823981413585333==--
