WWDC2003 Session 108

Transcript

Kind: captions
Language: en
but today we're talking about Kerberos
so we'll do a very quick overview of
what Kerberos is how it works the
internal infrastructure the new features
we're adding to Kerberos and Panther and
how you can add Kerberos to your
application we will do a question-answer
fury at the end and we'll want to know
whether or not you're a user or
developer so what is Kerberos it's a
secure network authentication system in
one of the things that is worthwhile to
understand that there is a difference
between authentication and authorization
we have an authorization lab down on the
first floor I encourage you that if
you're interested in doing authorization
or rights management on Mac OS 10 and
you go check out the lab and talk to the
folks there we've got a really good off
system on the Mac it proved Kerberos
proves who you are and it uses a trusted
third party security model to do this
who uses Kerberos well certainly the
government it does and education large
corporations are starting to use it and
we built a lot of it in a Mac os10 it's
in Windows of course but not don't
really care too much about that the
reason that they use it is because it
factors the security problem it is
consistent with the central
authentication goals it provides single
sign-on it's ubiquitous across a variety
of platforms including Xbox when they
talk about having different realms on
xbox we're not talking about EverQuest
and it's time tested the source codes
freely available so to talk about
kerberos for the macintosh marshall veil
[Applause]
Thank You Craig good morning all my name
is Marshall veil I am the project
manager of Kerberos development at MIT
I'll lot to talk about so let's get
started first kurose is developed as
part of project Athena in the early
1980s Athena was projects are by MIT
deck and IBM to create a ubiquitous
computing infrastructure for an academic
environment of course when you turn in a
paper as student you want to prove who
you are and that's Kerberos was
developed to solve network
authentication Kerberos I became an ietf
rojo standard in 1993 and it's become
very popular in a wide variety of
markets including the corporate market
in the last few years thanks to
microsoft use of it as the native
authentication method in Windows 2000
later and as has been announced this
week Apple's been using Kerberos as the
single sign-on solution for Panther and
Mac OS 10 going forward there are two
forms of Kerberos protocols in common
use the first is Kerberos versions for
it was actually the original version no
longer being developed but still in use
of many other sites you may wonder what
happened to the other versions but they
never really quite got out of lab the
current version is Kerberos version 5 it
was designed to solve many of the
security deficiencies and other problems
in Kerberos for now let's take a look at
some of the Kerberos terms so we have an
understanding of what we're talking
about first is a realm the realm is an
administrative unit protected by a KDC
or key distribution center a ticket is
the base authentication token and in
Kerberos different types of tickets
exist for different purposes they have a
finite lifetime as they expire they're
also known as credentials and I may use
tickets and credentials interchangeably
so let's take a look at specific types
of tickets one is a ticket granting
ticket or a TGT it's the initial ticket
the grants permission to get service
tickets you can sort of think of it as
you're all amusement park path
the service ticket is a ticket to
authenticate a user to a particular
service such as ftp email what not i'll
take a look a couple determine a little
more in-depth our realm now it looks
similar to an internet domain and to a
user for example at MIT we have athena
MIT edu it defines your namespace all
your users user names have to avoid
collision within that domain of within
that realm unlike DNS which causes some
consternation with folks the Kerberos
realm is in fact case sensitive you can
have you can exchange keys between
different realms and a realm can support
any combination of v4 md5 an
organizational recommendation is to have
as few as realms as possible and for
those folks who may be setting up her
votes for the first time it's not best
to do it along political boundaries you
should at best have one your users will
be thankful for us now a ticket granting
ticket is also called an initial ticket
it's the first ticket you get and proves
that the client is allowed to get
tickets for other particular services it
acts as a substitute for a password and
it's the mechanism by which single
sign-on behavior for the user is
achieved now as I mentioned the tickets
are only valid for a limited period of
time but TG tees can in fact be renewed
so let's look at a simple TGT request
exchange first the client sends the TTT
requests to the KDC the KDC returns a
TDP and a session key to the client
encrypted in the clients key then the
client uses a one-way hash of the
password this is where the user sit some
types their passwords to extract the TGT
now at this point you can see those
counselors not actually traveled over
the network now I've done a bit of a
simplification here you actually want to
do something else called pre
authentication and make sure it
exchanges secure but for the purposes of
this session I'm making it go quicker so
what's it look like to a user well in
this example if you can see it the users
retrieve to TGT s14 v4 and 14 v5 most
the time users don't actually go and
need to investigate the tickets but
people wonder what they look for look
like and unfortunately we don't have any
wizzy opengl demos of tickets flying
around
now a service ticket sophisticates our
tickets that use the clients use to
access a particular service as I said it
contains a session key that share
between the client the server and can be
used to encrypt data exchanges it also
expires but is not renewable but that's
not actually that important GG T's take
care of that for you so let's take a
look at the service ticket exchange
first the client sends presents the tdt
to the KDC with requests for a service
ticket the KDC return encrypted service
ticket to the client the client uses ggt
to extract the service ticket now at
this point this client can authenticate
to the server in one of two ways one is
one way a syndication the other is
mutual authentication for completeness
of think we're going to show both
although in all circumstances you really
want to try to use a mutual fennec ation
so the one way example the client
presents the service ticket to the
server the server then receives the
service ticket NSN AKP's client at this
point client server can actually encrypt
the data by using the session key and
the mutual authentication case the
client sends service ticket container
server key is the session key to the
server just like in the one way how are
at this point pretty critical the server
essentially authenticates back to the
client it returns to respond encrypted
with session key from the service ticket
authenticating server the client very
important at all the path all servers
and clients the machine or
authenticating to each other that's the
trust of the trust relations are
established server can should also use
session key to encrypt the subsequent
traffic just like in the one-way
authentication example that was an
example serve in the abstract case of
how Kerberos fundamentally works now
let's take a look at a more specific
example for the application developer so
you get an idea how to add it to your
application this case we're going to
look at I map because it has the number
of good standard and source code is out
there for looking at as an example so I
Matthews this Apple a simple
authentication and security layer for
its negotiation of authentication
methods safa will apply the use of the
gssapi which I'll get into
a little bit later for accessing
Kerberos 5 and then eventually the
authentication token surpassed around
our base 64 encoded so let's see how the
negotiation happen first the client
sends a request to the server asking
what case capabilities are in this case
the server list with it hey I drew GSS
among many other things client says I
want to do GSF server sends back is
simple let's go ahead and then the
client sends the Kerberos Authenticator
as part of a gssapi token the server's
end sends mutual authentication response
as part of another gssapi token that's
the client and server authenticating to
each other the client responds with a
simple acknowledgement this point the
server sent back some security options
including buffer size more importantly
whether encryption should be used the
client then at this point actually is
sending in who it wants to log in as and
selects encryption the server sends back
where the client was in fact authorized
and with the encryption was selected
notice the Kerberos was doing a senha
cating as full of the user or is at this
point the server is now actually doing
the authorization whether the user can
actually log in and it's using a
different mechanism other than Kerberos
as Craig said for factoring the problem
so some points to remember about
connecting to a service after all this
negotiation ago she ation is done your
base protocol and the example I map will
proceed as normal however encryption
will will protect the data stream you
can use session key to negotiate your
actual encryption keys so essentially is
a byproduct of the Kerberos
authentication you can get encryption
all these ticket exchanges i just
presented all the arrows going back and
forth are basically invisible to the
user the connecting to the service is
essentially automatic for them they
don't need to type in the password or
that connecting to an imap or ftp server
whatnot these negotiations with kerberos
features are often all automatically
this is sort of behavior for the end
user to get the single sign-on they're
entering their password once when
they're logging into the system and they
don't have to enter it anywhere else and
single sign-on
what does differs tickets look like well
in this example users logged into a
variety of services including a V for
service and a variety of e5 services to
the user they just launched a bunch of
apps they don't even know that this app
is before based or this one it's the
five base to them they just want staff
and got their data and all this
authentication happen for them behind
the scenes automatically so let's take a
look at some Kerberos infrastructure
example this will be quickly going over
some KDC setup including MIT and MIT kc
with active directory and Apple KDC and
then some general KDC recommendations I
know a lot of folks are just looking in
at deploying Kerberos at their site so
we thought was a good idea to go over
some of these points now an MIT stock
KDC from the MIT distribution provides
best support for a wide cross-platform
environment from older clients to
current client provides flexibility for
special deployment such as AFS Sandra's
file system however and will be honest
here is a wee bit complex to manage
configure build and salt but that's why
source codes available so but a lot of
people are really interested in active
directory and a lot of people are
interested in putting active directory
with their existing MIT KDC
infrastructure so briefly show a little
bit of how how you can possibly lay this
out if item no means is this the only
way you can lay it out but this is a
little example we get asked this
question quite a bit first why would you
do it well it provides good support for
Windows integration there's a
cross-domain trust between the Windows
Active Directory and they are mighty
Casey now the important interesting
point here is that if you have to MIT k
dcs you can exchange keys between them
and users can use what's called cross
realm of dedication however that doesn't
actually imply trust between the realms
whereas Windows Active Directory
actually has important concept of trust
between its multiple domain so when you
actually set up Active Directory an MIT
KDC to communicate each other if there's
some the simplicity relationship with
trust between the realms now what is it
in this example the MIT KDC will contain
the canonical list of user account and
the host keys from the non Windows
machines and services
there are mappings of the user account
in a mighty KDC to the counts in the
after domain hydro directory domain so
just a quick little diagram you can see
that the trust relationship exists
between the MIT KDC and active directory
and that's where the account mapping
happens I user wrote authenticates the
MIT KDC and then get information
automatically out of Active Directory
the non Windows application services are
stored the host keys are stored in the
MIT KDC and the windows specific
application services information stored
in the active directory now as you may
have heard in Davos session in on
Tuesday Apple is introducing a KDC and
Panther server while you want to use it
well unlike the MIT KAC it's easy to set
up and configure you probably didn't
even know you actually installed it once
you've gone through the setup assistant
it takes advantage of apple's open
directory so if you're setting up an
infrastructure for first time in a small
site you get a nice directory with it an
interesting implementation detail of the
Panther server is that KDC is that the
password server actually contains the
Kerberos keys and other passwords for
the legacy clients to connect to it now
in this case a for Panther server KDC
the machines talk to the directory to
get Kerberos configuration configuration
information automatically and then of
course machines will talk to the Apple
KDC for their kerberos authentication so
general KDC recommendations matter which
KDC you're setting up use Triple DES
with an extra p for extra security and
RC four instead of des Keith does
probably that g5 is that they introduced
William crac des faster than you can rob
a button set the pre auth required flag
on and user principle that helps secure
the actual TGT exchange we're in a few
other services as possible on your KDC
you don't want these other services to
have vulnerabilities and compromise your
KDC data avoid Kerberos for as much as
possible and at all costs I'll get into
that a little bit later deploy client
configuration files as few as little
specific information as possible this
allows you to take advantage of new
encryption level features that we add in
growth and you deploy the library's
employed in UK DC then the client can
take advantage of that when settings are
specific set that usually overrides the
new functionality and new security level
and of course securely back up your KDC
and that is left up as an exercise to
the user now I don't normally go into
distributed file system but due to some
recent issues with kerberos for we
thought it was warranted discussing an
Andrew file system is a popular
distributed file system used by many
sites I mentioned because it uses
courtesy forces fundamental
authentication there's been a number of
improvements to AFS and to MIT kerberos
to allow the use of b5 to do as much of
the authentication it's possible you can
get a new v5a k log from MIT the urls
above mit.edu / open AFS you should run
a curb 524 on your KDC 45 40 and you
should only use curve for for the SS
principle and do not globally enable
before for all users now this point
we'll talk a little bit about Kerberos
for Macintosh the Kerberos
implementation in Mac OS 10 now in
Jaguar we shipped the first
full-featured client version of Kerberos
in a mac OS 10 and we're really excited
about it included kfm 45 we managed to
ship with apple a Kerberos ticket
management application curb 5126 number
of performance enhancements provements
the command line utilities and 524 and
thanks to bug reports that you filed in
10 23 we shipped kfm 451 and most people
didn't even notice but you know a few
peeps did so we were happy now I can sir
we're introducing Kerberos for Macintosh
five-point oh we include a real host of
new nice new features most importantly
is Kerberos d5 13 in it includes a
number of improved windows
interoperability features we have a new
Kerberos login dialog that fits in
better with Mac os10 authorization
dialogues we have a UI for getting
address those tickets so Kerberos five
will work better behind a nap and we all
know naps are out there
we have dns support for ktc look up and
we have a renewable ticket granting
ticket support on the server side we
actually now include all the server
component a standard stock MIT KDC is
included and related demon and the
common tools to operate in mtk DC k
admin and katie util we have many
requests for those and of course also
plug that Apple includes a more
integrated KDC as part of panthous
server but you have your choice you can
take nom ET stock a DC or you can use
the Panther server KDC so let's take a
look at the Kerberos for Macintosh five
architecture is a little different in
Kerberos and other implementation first
we have the application layer and
standard Marco application they access
the Kerberos libraries directly now for
command line applications they actually
go through ten links and user lib to
access the main Kerberos libraries in
the system directory and Jaguar you if
you were compiling stuff you needed to
install the BSC SDK headers the dev
tools which was turned off by default
although it looks like apples pics out
of Panther and that sign me to a number
of people reporting their applications
we also support for CFM carbon
applications through CFM mission of
libraries that MIT distributes and the
system directory of Mac OS 10 contains
the Kerberos framework it has a library
file containing all the various Kerberos
libraries and plants many others not
listed indifference another a Kerberos
and other environments is the sea cache
server contains the tickets in memory
and it uses mock IPC to communicate with
the Kerberos library lastly we have the
Kerberos login server this is the actual
component to present the log in Kerberos
login dialog for you na communicates
with the mac 5pc to the Kerberos
framework a lot of people think that's
actually a part of the Kerberos
application but it's actually stored in
the Kerberos framework itself
so which are included in kfm and
includes the K client API
compatibilities just like on jaguar
Kerberos however a significant change
we've made is that we are now the curb
for library comes from the v4
compatibility library in the stock MIT
curved 5 distribution we previously had
based it on it in separate library from
older Cygnus distribution so now more of
the platforms and MIT kerberos code
share the same before library now
applications can use either k client or
the straight view for AP is so there
before support however new code new new
coach and be developed using before why
you might ask well only supports des as
we know does this is very secure these
days cannot get address list ticket it's
not part of be four tickets not support
a variety of various feature flags such
as forwarding Microsoft has no native
support in their windows products for
before so that makes integration
component much more more difficult oh
and there's this little teensy problem
that there's some fundamental problems
with the protocol in a decryption level
if you really want to go read up the
fund there's a certain owner abilities
that we released a few months ago turbos
before is pretty much dead and busted so
what there is a solution and I'll give
everyone one guest khoros-5 so everyone
really should I'd be migrating to
Kerberos five any kfm 50 as I said we
have service 513 and enhancement is that
we have support for the current I ETF
draft of Kerberos clarification we also
include the gssapi is application level
API for accessing the Kerberos
functionality I'll take a look some of
the features of V 5 13 and depth as I
said we have improved Microsoft Windows
interoperability that specifically means
we've had a TCP support for
communication in the client libraries
and Katie see we have support for the
rc4 crypto system and we have a chat
support to the microsoft net password
protocol we've also added improved
support for ipv6 we could use a lot of
help testing this out so get your pants
recedes and try it out we have initial
AES support now it's not complete we're
still working with Microsoft to define
some of the standards for AES support
but Mac os10 cancer may be one of the
first out of the gate with a yeah we've
also now have support for building on
pure Darwin systems if you do this
you'll get a sock UNIX curb 5
installation but we know a few people
out there like to run on pure Darwin
system so we now have support from that
across many bug fixes and future
improvement from previous curve by
releases we get to ask this all the time
in fact before we even got before the
keynote we got asked this question do
you in a wrapper ate with Microsoft so
yes active directory can be used as a
curved 5k DC to a Mac os10 client
Kerberos client windows also has a GSS
mechanism called simple unprotected
gssapi negotiation mechanism been nego
however a fortunate doesn't have a
public counterpart on Mac os10 right now
and pants are what we are trying to work
on that with a variety of vendors also
there's sspi is an application interface
that windows promote fortunately is very
similar to GSS microsoft even publishes
the document which we reference later in
the session to help you map the api's if
you're writing as a macintosh developer
and you want to perhaps poured over onto
windows you should write to DSS and you
should hopefully be able to move it on
and create a shim layer to right on top
of SSP I as i mentioned tcp and RC for
support are there now going back the
architecture slide the credentials cash
the tickets done on Kerberos for
macintosh are stored in memory this
allows us to be more flexible in how we
manage our tickets supporting multiple
credentials and multiple realms more
easily the Kerberos login library is a
unique to occur boats for Macintosh and
it simplifies getting both b4 and b5
initial tickets you can get and acquire
and destroys the initial tickets with
single call it provides an API for
programmers to change the setting that
come up in the Kerberos login dialog if
you want and if mostly is used by sort
of administer
of apps or those that are trying to do
serve login behavior on the Macintosh
perform actions on PG T's other
libraries that are also provided include
comair for error handling a profile
library for reading elements out of the
Kerberos configuration file such as your
default realms and whatnot the curb us
application is an end user application
for obtaining getting information
destroying tickets also provides UI for
setting things such as the Kerberos
login dialog default in your favorite
realm also the dock icon presents
information the user about the status of
the Kerberos ticket how when they expire
and a dock menu if the user holds down
the mouse button they'll see a menu of
actions they can perform on the Kerberos
tickets people often ask about a menu in
the menubar however the menus already
provided in the Kerberos application for
kfm 50 we've included a number of new
features in the Kerberos application
including settings editing the settings
for the new login dialog default improve
performance and appearance now I get
your blurry txt enter realms for DNS in
your favorite realm new time ranges for
sending a renewable ticket option and
even more importantly while it's running
it will auto renew your TG keys when
applicable then when you get the
Renewable ttts if cobro staff is running
then you say will automatically renew
your ticket however if you put the
machine to sleep in your tickets expire
you cannot renew expired tickets but if
you're on a 36-hour coding marathon you
don't have to enter your password at all
Kerberos app will keep auto renewing
your tickets so let's take a look at the
new Kerberos login dialog as you can see
we've changed it to look more like the
standard mac OS can authentication
authorization dialog even tells you
which applications requesting a Kerberos
access in this case mail app has been
trying to do Kerberos authentication you
can also use the realm sealed is now an
editable text so you can better support
with the DNS lookup with the KDC rome if
you show options and this may be a
little difficult see we expand the
dialog and you can see there's a
checkbox for the Justice ticket so it's
no longer hidden in a configuration file
and you can configure how long you want
your tickets
renewable for so now there are some
changes in Panther kerberos that you
should be aware of first this is due to
the change in the application framework
that we're using for the login dialog
the log and dialogues password field has
been changed from macro and to utf-8 now
it's an authorization in Kerberos
passwords is one horrible mess and we're
starting to make it a little bit worse
but if a user has a password that uses
high bit characters in the mac roman
encoding they'll have difficulty logging
on now you have your administrator can
reset their password or they can use the
terminal change the character set and
change the password from their new CSM
bridge libraries are unfortunately
required however they are available to
you today and the new bridge libraries
will work both on Jaguar and on Panther
so you just need to do one distribution
command line clients will no longer
automatically prompt when their tickets
are available the behavior now is
identical to on the other unix
environment 4524 authentication now
requires a valid v4 configuration to be
to be available jaguar it would always
try 524 and it was a problem for a
number of sight and pseudo and su well
now get an empty ticket cash not and not
have access to the logged-in users cash
due to changes in inter offering with
the new security server let's take a
look at developing for kerberos how do
you provide your application well it's
kind of easy well hopefully find the
protocol specification rfps what not to
bring which API to use if you were add
to add some support for before you could
use cake client or gssapi or Kerberos
five depending on the applications need
and you figure out how to connect the
API to the protocol that this means that
the data returned by the various api's
news massage and some form the base
protocol understand typically this is
base64 take a quick look at curb rising
ftp because it has a couple of nice rfcs
defining how it works one for v4 and one
for gsm + k 5 you would use in this case
k client api for v4 support NGSS for
curb 5
I'm skipping the v4 point to make you
know we're not supporting before anymore
right right yeah so gssapi first you
start with some session management and
authentication we've done through jazz
vasana tech context you do some basic
encryption and decryption of the data
stream through GSS Raffin GF unwrapped
and the way as an example to connect the
API to protocol mistook base64 let's
look a little bit more in gssapi
programming in depth with basics now GSS
exchanges hard messages and things
called token as beginning of the program
GSS exchanges context token to perform
the authentication and it set up the
encryption layer the program actually
called CSS rapin GSS unwrapped to do the
encryption and decryption of the
application data in general hammer the
point home all application data should
be encrypted or number applications out
there still just do authentication and
our users tend to think that email the
data stream is still encrypted when
they're using Kerberos and we need to
make sure all the applications are in
fact encrypting the data users like
security application choices
applications must select gssapi security
services that they want most
applications one to explicitly turn on
following features integrity protection
confidentiality replay detection and
sequencing we're not as scary as they
come gssapi also provides a facility to
forward cadential from one system to
another now the program full of GSS
programming essentially requires
multiple round trips for authentication
essentially an application does not
necessarily know how many round-trip are
going to be required ahead of time so
the application loops waiting for the
authentication to finish so let's take a
look the GSS client loop the input token
set it up so there's no you then go into
a do loop with GSS and it's a context
if the output token is there and send
the output token and then you check the
major status GSS status if you continue
as needed you sensually continue doing
the loop on the server side you sit
there looping try and receive a GSS
token the CSS accept that context if
it's there you send a response back and
you check to see whether continuation is
needed and if it is you continue looping
in the in the do loop to receive all of
the data supervising suggestions for
developers you sasal if you're adding
Kerberos to your own proprietary
protocol that will help handle a lot of
the negotiations of the onset of the
various authentication methods you want
available to you not just Kerberos but
other one using sasal includes using
gssapi 3025 functionality the gssapi
helps isolate applications from
differences in the curve live api's the
crap I've api's actually aren't any real
standard and there were different
implementations of different API
semantics so GSS is actually an RFC see
binding so that helps make your
application more portable to different
environments again to drive home point
home do not add additional v4 support at
this point before is very insecure and
we need to make sure everyone's
migrating off to be five so in summary
as mentioned other session Carosa simply
a powerful solution to authentication
and single sign-on provides an
unobtrusive authentication experience to
the user it's available on a wide
variety of platform site should be
moving from / before have I gotten the
point across pancer and Panther server
will provide a wealth of curb ride
services Annapolis as the dimension
review session is committing very
heavily spur growth and they will be
driving adoption if you're gross
throughout their offerings listen
if you need to report a bug about
Kerberos from Mac os10 since there are
so many people his family is very large
reports of bugs to Apple no it's nice we
like to hear from the bugs at MIT
however in order to get your bug fixed
and back in the OS they need to be filed
an apple if you feel that your bugs not
getting attention please bring the issue
up with apple they're the ones who ship
it so if you need to get it into a
software update you need to raise the
issue with your apple representative so
to wrap up here's the roadmap mostly
these sessions have already happened
however there's a security feedback
forum on Friday you can contact craig or
myself or also skip 11 who is the server
technology evangelist and a lot of his
folks are doing a lot of the kerberos
integration for information we have a
variety of URLs the documentation is
available for MIT is in a couple of
places and these you are all these URLs
are available from Apple Apple has a
knowledge base article about Kerberos
and Jaguar and Microsoft has a number of
interoperability web pages including
frequently asked questions there a
number of RFPs for you might want to
look at like I'm map authentication
mechanisms is a great example of how to
use hassle and gfs a lot of people don't
notice that we actually did publish the
source code as much as we could legally
allowed in Kerberos mcintosh 451 in
Jaguar it's on the Darwin Kerberos page
and that's available under the developer
site at Apple
you