WWDC2003 Session 108

Transcript

Kind: captions Language: en but today we're talking about Kerberos so we'll do a very quick overview of what Kerberos is how it works the internal infrastructure the new features we're adding to Kerberos and Panther and how you can add Kerberos to your application we will do a question-answer fury at the end and we'll want to know whether or not you're a user or developer so what is Kerberos it's a secure network authentication system in one of the things that is worthwhile to understand that there is a difference between authentication and authorization we have an authorization lab down on the first floor I encourage you that if you're interested in doing authorization or rights management on Mac OS 10 and you go check out the lab and talk to the folks there we've got a really good off system on the Mac it proved Kerberos proves who you are and it uses a trusted third party security model to do this who uses Kerberos well certainly the government it does and education large corporations are starting to use it and we built a lot of it in a Mac os10 it's in Windows of course but not don't really care too much about that the reason that they use it is because it factors the security problem it is consistent with the central authentication goals it provides single sign-on it's ubiquitous across a variety of platforms including Xbox when they talk about having different realms on xbox we're not talking about EverQuest and it's time tested the source codes freely available so to talk about kerberos for the macintosh marshall veil [Applause] Thank You Craig good morning all my name is Marshall veil I am the project manager of Kerberos development at MIT I'll lot to talk about so let's get started first kurose is developed as part of project Athena in the early 1980s Athena was projects are by MIT deck and IBM to create a ubiquitous computing infrastructure for an academic environment of course when you turn in a paper as student you want to prove who you are and that's Kerberos was developed to solve network authentication Kerberos I became an ietf rojo standard in 1993 and it's become very popular in a wide variety of markets including the corporate market in the last few years thanks to microsoft use of it as the native authentication method in Windows 2000 later and as has been announced this week Apple's been using Kerberos as the single sign-on solution for Panther and Mac OS 10 going forward there are two forms of Kerberos protocols in common use the first is Kerberos versions for it was actually the original version no longer being developed but still in use of many other sites you may wonder what happened to the other versions but they never really quite got out of lab the current version is Kerberos version 5 it was designed to solve many of the security deficiencies and other problems in Kerberos for now let's take a look at some of the Kerberos terms so we have an understanding of what we're talking about first is a realm the realm is an administrative unit protected by a KDC or key distribution center a ticket is the base authentication token and in Kerberos different types of tickets exist for different purposes they have a finite lifetime as they expire they're also known as credentials and I may use tickets and credentials interchangeably so let's take a look at specific types of tickets one is a ticket granting ticket or a TGT it's the initial ticket the grants permission to get service tickets you can sort of think of it as you're all amusement park path the service ticket is a ticket to authenticate a user to a particular service such as ftp email what not i'll take a look a couple determine a little more in-depth our realm now it looks similar to an internet domain and to a user for example at MIT we have athena MIT edu it defines your namespace all your users user names have to avoid collision within that domain of within that realm unlike DNS which causes some consternation with folks the Kerberos realm is in fact case sensitive you can have you can exchange keys between different realms and a realm can support any combination of v4 md5 an organizational recommendation is to have as few as realms as possible and for those folks who may be setting up her votes for the first time it's not best to do it along political boundaries you should at best have one your users will be thankful for us now a ticket granting ticket is also called an initial ticket it's the first ticket you get and proves that the client is allowed to get tickets for other particular services it acts as a substitute for a password and it's the mechanism by which single sign-on behavior for the user is achieved now as I mentioned the tickets are only valid for a limited period of time but TG tees can in fact be renewed so let's look at a simple TGT request exchange first the client sends the TTT requests to the KDC the KDC returns a TDP and a session key to the client encrypted in the clients key then the client uses a one-way hash of the password this is where the user sit some types their passwords to extract the TGT now at this point you can see those counselors not actually traveled over the network now I've done a bit of a simplification here you actually want to do something else called pre authentication and make sure it exchanges secure but for the purposes of this session I'm making it go quicker so what's it look like to a user well in this example if you can see it the users retrieve to TGT s14 v4 and 14 v5 most the time users don't actually go and need to investigate the tickets but people wonder what they look for look like and unfortunately we don't have any wizzy opengl demos of tickets flying around now a service ticket sophisticates our tickets that use the clients use to access a particular service as I said it contains a session key that share between the client the server and can be used to encrypt data exchanges it also expires but is not renewable but that's not actually that important GG T's take care of that for you so let's take a look at the service ticket exchange first the client sends presents the tdt to the KDC with requests for a service ticket the KDC return encrypted service ticket to the client the client uses ggt to extract the service ticket now at this point this client can authenticate to the server in one of two ways one is one way a syndication the other is mutual authentication for completeness of think we're going to show both although in all circumstances you really want to try to use a mutual fennec ation so the one way example the client presents the service ticket to the server the server then receives the service ticket NSN AKP's client at this point client server can actually encrypt the data by using the session key and the mutual authentication case the client sends service ticket container server key is the session key to the server just like in the one way how are at this point pretty critical the server essentially authenticates back to the client it returns to respond encrypted with session key from the service ticket authenticating server the client very important at all the path all servers and clients the machine or authenticating to each other that's the trust of the trust relations are established server can should also use session key to encrypt the subsequent traffic just like in the one-way authentication example that was an example serve in the abstract case of how Kerberos fundamentally works now let's take a look at a more specific example for the application developer so you get an idea how to add it to your application this case we're going to look at I map because it has the number of good standard and source code is out there for looking at as an example so I Matthews this Apple a simple authentication and security layer for its negotiation of authentication methods safa will apply the use of the gssapi which I'll get into a little bit later for accessing Kerberos 5 and then eventually the authentication token surpassed around our base 64 encoded so let's see how the negotiation happen first the client sends a request to the server asking what case capabilities are in this case the server list with it hey I drew GSS among many other things client says I want to do GSF server sends back is simple let's go ahead and then the client sends the Kerberos Authenticator as part of a gssapi token the server's end sends mutual authentication response as part of another gssapi token that's the client and server authenticating to each other the client responds with a simple acknowledgement this point the server sent back some security options including buffer size more importantly whether encryption should be used the client then at this point actually is sending in who it wants to log in as and selects encryption the server sends back where the client was in fact authorized and with the encryption was selected notice the Kerberos was doing a senha cating as full of the user or is at this point the server is now actually doing the authorization whether the user can actually log in and it's using a different mechanism other than Kerberos as Craig said for factoring the problem so some points to remember about connecting to a service after all this negotiation ago she ation is done your base protocol and the example I map will proceed as normal however encryption will will protect the data stream you can use session key to negotiate your actual encryption keys so essentially is a byproduct of the Kerberos authentication you can get encryption all these ticket exchanges i just presented all the arrows going back and forth are basically invisible to the user the connecting to the service is essentially automatic for them they don't need to type in the password or that connecting to an imap or ftp server whatnot these negotiations with kerberos features are often all automatically this is sort of behavior for the end user to get the single sign-on they're entering their password once when they're logging into the system and they don't have to enter it anywhere else and single sign-on what does differs tickets look like well in this example users logged into a variety of services including a V for service and a variety of e5 services to the user they just launched a bunch of apps they don't even know that this app is before based or this one it's the five base to them they just want staff and got their data and all this authentication happen for them behind the scenes automatically so let's take a look at some Kerberos infrastructure example this will be quickly going over some KDC setup including MIT and MIT kc with active directory and Apple KDC and then some general KDC recommendations I know a lot of folks are just looking in at deploying Kerberos at their site so we thought was a good idea to go over some of these points now an MIT stock KDC from the MIT distribution provides best support for a wide cross-platform environment from older clients to current client provides flexibility for special deployment such as AFS Sandra's file system however and will be honest here is a wee bit complex to manage configure build and salt but that's why source codes available so but a lot of people are really interested in active directory and a lot of people are interested in putting active directory with their existing MIT KDC infrastructure so briefly show a little bit of how how you can possibly lay this out if item no means is this the only way you can lay it out but this is a little example we get asked this question quite a bit first why would you do it well it provides good support for Windows integration there's a cross-domain trust between the Windows Active Directory and they are mighty Casey now the important interesting point here is that if you have to MIT k dcs you can exchange keys between them and users can use what's called cross realm of dedication however that doesn't actually imply trust between the realms whereas Windows Active Directory actually has important concept of trust between its multiple domain so when you actually set up Active Directory an MIT KDC to communicate each other if there's some the simplicity relationship with trust between the realms now what is it in this example the MIT KDC will contain the canonical list of user account and the host keys from the non Windows machines and services there are mappings of the user account in a mighty KDC to the counts in the after domain hydro directory domain so just a quick little diagram you can see that the trust relationship exists between the MIT KDC and active directory and that's where the account mapping happens I user wrote authenticates the MIT KDC and then get information automatically out of Active Directory the non Windows application services are stored the host keys are stored in the MIT KDC and the windows specific application services information stored in the active directory now as you may have heard in Davos session in on Tuesday Apple is introducing a KDC and Panther server while you want to use it well unlike the MIT KAC it's easy to set up and configure you probably didn't even know you actually installed it once you've gone through the setup assistant it takes advantage of apple's open directory so if you're setting up an infrastructure for first time in a small site you get a nice directory with it an interesting implementation detail of the Panther server is that KDC is that the password server actually contains the Kerberos keys and other passwords for the legacy clients to connect to it now in this case a for Panther server KDC the machines talk to the directory to get Kerberos configuration configuration information automatically and then of course machines will talk to the Apple KDC for their kerberos authentication so general KDC recommendations matter which KDC you're setting up use Triple DES with an extra p for extra security and RC four instead of des Keith does probably that g5 is that they introduced William crac des faster than you can rob a button set the pre auth required flag on and user principle that helps secure the actual TGT exchange we're in a few other services as possible on your KDC you don't want these other services to have vulnerabilities and compromise your KDC data avoid Kerberos for as much as possible and at all costs I'll get into that a little bit later deploy client configuration files as few as little specific information as possible this allows you to take advantage of new encryption level features that we add in growth and you deploy the library's employed in UK DC then the client can take advantage of that when settings are specific set that usually overrides the new functionality and new security level and of course securely back up your KDC and that is left up as an exercise to the user now I don't normally go into distributed file system but due to some recent issues with kerberos for we thought it was warranted discussing an Andrew file system is a popular distributed file system used by many sites I mentioned because it uses courtesy forces fundamental authentication there's been a number of improvements to AFS and to MIT kerberos to allow the use of b5 to do as much of the authentication it's possible you can get a new v5a k log from MIT the urls above mit.edu / open AFS you should run a curb 524 on your KDC 45 40 and you should only use curve for for the SS principle and do not globally enable before for all users now this point we'll talk a little bit about Kerberos for Macintosh the Kerberos implementation in Mac OS 10 now in Jaguar we shipped the first full-featured client version of Kerberos in a mac OS 10 and we're really excited about it included kfm 45 we managed to ship with apple a Kerberos ticket management application curb 5126 number of performance enhancements provements the command line utilities and 524 and thanks to bug reports that you filed in 10 23 we shipped kfm 451 and most people didn't even notice but you know a few peeps did so we were happy now I can sir we're introducing Kerberos for Macintosh five-point oh we include a real host of new nice new features most importantly is Kerberos d5 13 in it includes a number of improved windows interoperability features we have a new Kerberos login dialog that fits in better with Mac os10 authorization dialogues we have a UI for getting address those tickets so Kerberos five will work better behind a nap and we all know naps are out there we have dns support for ktc look up and we have a renewable ticket granting ticket support on the server side we actually now include all the server component a standard stock MIT KDC is included and related demon and the common tools to operate in mtk DC k admin and katie util we have many requests for those and of course also plug that Apple includes a more integrated KDC as part of panthous server but you have your choice you can take nom ET stock a DC or you can use the Panther server KDC so let's take a look at the Kerberos for Macintosh five architecture is a little different in Kerberos and other implementation first we have the application layer and standard Marco application they access the Kerberos libraries directly now for command line applications they actually go through ten links and user lib to access the main Kerberos libraries in the system directory and Jaguar you if you were compiling stuff you needed to install the BSC SDK headers the dev tools which was turned off by default although it looks like apples pics out of Panther and that sign me to a number of people reporting their applications we also support for CFM carbon applications through CFM mission of libraries that MIT distributes and the system directory of Mac OS 10 contains the Kerberos framework it has a library file containing all the various Kerberos libraries and plants many others not listed indifference another a Kerberos and other environments is the sea cache server contains the tickets in memory and it uses mock IPC to communicate with the Kerberos library lastly we have the Kerberos login server this is the actual component to present the log in Kerberos login dialog for you na communicates with the mac 5pc to the Kerberos framework a lot of people think that's actually a part of the Kerberos application but it's actually stored in the Kerberos framework itself so which are included in kfm and includes the K client API compatibilities just like on jaguar Kerberos however a significant change we've made is that we are now the curb for library comes from the v4 compatibility library in the stock MIT curved 5 distribution we previously had based it on it in separate library from older Cygnus distribution so now more of the platforms and MIT kerberos code share the same before library now applications can use either k client or the straight view for AP is so there before support however new code new new coach and be developed using before why you might ask well only supports des as we know does this is very secure these days cannot get address list ticket it's not part of be four tickets not support a variety of various feature flags such as forwarding Microsoft has no native support in their windows products for before so that makes integration component much more more difficult oh and there's this little teensy problem that there's some fundamental problems with the protocol in a decryption level if you really want to go read up the fund there's a certain owner abilities that we released a few months ago turbos before is pretty much dead and busted so what there is a solution and I'll give everyone one guest khoros-5 so everyone really should I'd be migrating to Kerberos five any kfm 50 as I said we have service 513 and enhancement is that we have support for the current I ETF draft of Kerberos clarification we also include the gssapi is application level API for accessing the Kerberos functionality I'll take a look some of the features of V 5 13 and depth as I said we have improved Microsoft Windows interoperability that specifically means we've had a TCP support for communication in the client libraries and Katie see we have support for the rc4 crypto system and we have a chat support to the microsoft net password protocol we've also added improved support for ipv6 we could use a lot of help testing this out so get your pants recedes and try it out we have initial AES support now it's not complete we're still working with Microsoft to define some of the standards for AES support but Mac os10 cancer may be one of the first out of the gate with a yeah we've also now have support for building on pure Darwin systems if you do this you'll get a sock UNIX curb 5 installation but we know a few people out there like to run on pure Darwin system so we now have support from that across many bug fixes and future improvement from previous curve by releases we get to ask this all the time in fact before we even got before the keynote we got asked this question do you in a wrapper ate with Microsoft so yes active directory can be used as a curved 5k DC to a Mac os10 client Kerberos client windows also has a GSS mechanism called simple unprotected gssapi negotiation mechanism been nego however a fortunate doesn't have a public counterpart on Mac os10 right now and pants are what we are trying to work on that with a variety of vendors also there's sspi is an application interface that windows promote fortunately is very similar to GSS microsoft even publishes the document which we reference later in the session to help you map the api's if you're writing as a macintosh developer and you want to perhaps poured over onto windows you should write to DSS and you should hopefully be able to move it on and create a shim layer to right on top of SSP I as i mentioned tcp and RC for support are there now going back the architecture slide the credentials cash the tickets done on Kerberos for macintosh are stored in memory this allows us to be more flexible in how we manage our tickets supporting multiple credentials and multiple realms more easily the Kerberos login library is a unique to occur boats for Macintosh and it simplifies getting both b4 and b5 initial tickets you can get and acquire and destroys the initial tickets with single call it provides an API for programmers to change the setting that come up in the Kerberos login dialog if you want and if mostly is used by sort of administer of apps or those that are trying to do serve login behavior on the Macintosh perform actions on PG T's other libraries that are also provided include comair for error handling a profile library for reading elements out of the Kerberos configuration file such as your default realms and whatnot the curb us application is an end user application for obtaining getting information destroying tickets also provides UI for setting things such as the Kerberos login dialog default in your favorite realm also the dock icon presents information the user about the status of the Kerberos ticket how when they expire and a dock menu if the user holds down the mouse button they'll see a menu of actions they can perform on the Kerberos tickets people often ask about a menu in the menubar however the menus already provided in the Kerberos application for kfm 50 we've included a number of new features in the Kerberos application including settings editing the settings for the new login dialog default improve performance and appearance now I get your blurry txt enter realms for DNS in your favorite realm new time ranges for sending a renewable ticket option and even more importantly while it's running it will auto renew your TG keys when applicable then when you get the Renewable ttts if cobro staff is running then you say will automatically renew your ticket however if you put the machine to sleep in your tickets expire you cannot renew expired tickets but if you're on a 36-hour coding marathon you don't have to enter your password at all Kerberos app will keep auto renewing your tickets so let's take a look at the new Kerberos login dialog as you can see we've changed it to look more like the standard mac OS can authentication authorization dialog even tells you which applications requesting a Kerberos access in this case mail app has been trying to do Kerberos authentication you can also use the realm sealed is now an editable text so you can better support with the DNS lookup with the KDC rome if you show options and this may be a little difficult see we expand the dialog and you can see there's a checkbox for the Justice ticket so it's no longer hidden in a configuration file and you can configure how long you want your tickets renewable for so now there are some changes in Panther kerberos that you should be aware of first this is due to the change in the application framework that we're using for the login dialog the log and dialogues password field has been changed from macro and to utf-8 now it's an authorization in Kerberos passwords is one horrible mess and we're starting to make it a little bit worse but if a user has a password that uses high bit characters in the mac roman encoding they'll have difficulty logging on now you have your administrator can reset their password or they can use the terminal change the character set and change the password from their new CSM bridge libraries are unfortunately required however they are available to you today and the new bridge libraries will work both on Jaguar and on Panther so you just need to do one distribution command line clients will no longer automatically prompt when their tickets are available the behavior now is identical to on the other unix environment 4524 authentication now requires a valid v4 configuration to be to be available jaguar it would always try 524 and it was a problem for a number of sight and pseudo and su well now get an empty ticket cash not and not have access to the logged-in users cash due to changes in inter offering with the new security server let's take a look at developing for kerberos how do you provide your application well it's kind of easy well hopefully find the protocol specification rfps what not to bring which API to use if you were add to add some support for before you could use cake client or gssapi or Kerberos five depending on the applications need and you figure out how to connect the API to the protocol that this means that the data returned by the various api's news massage and some form the base protocol understand typically this is base64 take a quick look at curb rising ftp because it has a couple of nice rfcs defining how it works one for v4 and one for gsm + k 5 you would use in this case k client api for v4 support NGSS for curb 5 I'm skipping the v4 point to make you know we're not supporting before anymore right right yeah so gssapi first you start with some session management and authentication we've done through jazz vasana tech context you do some basic encryption and decryption of the data stream through GSS Raffin GF unwrapped and the way as an example to connect the API to protocol mistook base64 let's look a little bit more in gssapi programming in depth with basics now GSS exchanges hard messages and things called token as beginning of the program GSS exchanges context token to perform the authentication and it set up the encryption layer the program actually called CSS rapin GSS unwrapped to do the encryption and decryption of the application data in general hammer the point home all application data should be encrypted or number applications out there still just do authentication and our users tend to think that email the data stream is still encrypted when they're using Kerberos and we need to make sure all the applications are in fact encrypting the data users like security application choices applications must select gssapi security services that they want most applications one to explicitly turn on following features integrity protection confidentiality replay detection and sequencing we're not as scary as they come gssapi also provides a facility to forward cadential from one system to another now the program full of GSS programming essentially requires multiple round trips for authentication essentially an application does not necessarily know how many round-trip are going to be required ahead of time so the application loops waiting for the authentication to finish so let's take a look the GSS client loop the input token set it up so there's no you then go into a do loop with GSS and it's a context if the output token is there and send the output token and then you check the major status GSS status if you continue as needed you sensually continue doing the loop on the server side you sit there looping try and receive a GSS token the CSS accept that context if it's there you send a response back and you check to see whether continuation is needed and if it is you continue looping in the in the do loop to receive all of the data supervising suggestions for developers you sasal if you're adding Kerberos to your own proprietary protocol that will help handle a lot of the negotiations of the onset of the various authentication methods you want available to you not just Kerberos but other one using sasal includes using gssapi 3025 functionality the gssapi helps isolate applications from differences in the curve live api's the crap I've api's actually aren't any real standard and there were different implementations of different API semantics so GSS is actually an RFC see binding so that helps make your application more portable to different environments again to drive home point home do not add additional v4 support at this point before is very insecure and we need to make sure everyone's migrating off to be five so in summary as mentioned other session Carosa simply a powerful solution to authentication and single sign-on provides an unobtrusive authentication experience to the user it's available on a wide variety of platform site should be moving from / before have I gotten the point across pancer and Panther server will provide a wealth of curb ride services Annapolis as the dimension review session is committing very heavily spur growth and they will be driving adoption if you're gross throughout their offerings listen if you need to report a bug about Kerberos from Mac os10 since there are so many people his family is very large reports of bugs to Apple no it's nice we like to hear from the bugs at MIT however in order to get your bug fixed and back in the OS they need to be filed an apple if you feel that your bugs not getting attention please bring the issue up with apple they're the ones who ship it so if you need to get it into a software update you need to raise the issue with your apple representative so to wrap up here's the roadmap mostly these sessions have already happened however there's a security feedback forum on Friday you can contact craig or myself or also skip 11 who is the server technology evangelist and a lot of his folks are doing a lot of the kerberos integration for information we have a variety of URLs the documentation is available for MIT is in a couple of places and these you are all these URLs are available from Apple Apple has a knowledge base article about Kerberos and Jaguar and Microsoft has a number of interoperability web pages including frequently asked questions there a number of RFPs for you might want to look at like I'm map authentication mechanisms is a great example of how to use hassle and gfs a lot of people don't notice that we actually did publish the source code as much as we could legally allowed in Kerberos mcintosh 451 in Jaguar it's on the Darwin Kerberos page and that's available under the developer site at Apple you