WWDC2004 Session 640

Transcript

Kind: captions Language: en right hello welcome to inside network authentication my name is jason Thompson I work on open directory in various capacities so today we're going to talk about first giving an introduction to what we mean by network authentication and then go through the feature set that we have in Panther both in password server and kerberos just to review then talk about all the new features we're adding in tiger go through some of the command line tools you might use and also some examples of how you can use kerberos in your applications and then finish up with questions and answers so what is network authentication well authentication is proof of identity so you can think of for example if you have a badge where you work the when you present that badge to a reader that's a form of authentication because you're proving that you are who the badge indicates that you are because you have possession of that badge so we need to keep in mind that this is not the same thing as authorization it sounds very similar but authorization is actually whether you can access a particular service or not so in the case of the badge it could be that I have an apple batch but I still don't have access to the super-secret hardware lab where all the new prototypes are because I'm just a lowly software engineer so I have I can successfully authenticate but I'm not authorized for a particular services another thing once we think about this on the network the first thing you may think of doing is just sending the username and password that the user types in into your dialogue directly across the network but that's kind of a bad idea because you can't trust the network in general there could be you know the server that you're connecting to may not be what you think it is there could be someone interposing between you and the actual service that you're using or you know just using TCP dump to sniff your network traffic since we TC good TCP dump is part of every Mac os10 machine so and there's a they could have a hardware sniffer on the network so you have to assume that the network is insecure and there's there's three main problems that we want to solve with network authentication first of all we need to prove the user's identity to the service securely and then we also need to prove the server's identity to the user that goes back to what I was talking about where you're not sure if the server that you're connecting to is what you think it is so if you have some way independent of the network stack to prove to the client what it is that gives you a lot more confidence and using that service and finally when you're when you're dealing with network authentication you want to avoid asking the user to enter their password over and over and over again but also you don't want to necessarily always store it somewhere because that could be insecure so we need a better solution to that so the next step beyond just sending the password in the clear would be to do a challenge-response authentication so the sequence goes something like this here we have a client and a server and first the client could send the user name to the server server would respond with a random challenge and finally the client sends back a response the response is a function of the challenge and the password and it could also incorporate the user name maybe other information the other thing to keep in mind here is actually in some authentication methods the challenge is actually sent before the username so depending upon what off method we're talking about it might be a little different but that's the basic idea and Apple has something called password server which we had in in Mac OS 10 server since 10.2 and that is our solution for challenge response authentication it supports a wide variety of authentication methods it's based on the simple authentication and security layer or sasal which developed by Carnegie Mellon which is a library that allows you to abstract these various challenge-response authentication methods and provides a lot of code to do that and make it easier it's also a standard for various network protocols password server also has a secure way of changing your password so even though you're doing that over the network that's happening through an encrypted channel and you don't have to worry about your password being picked up by an attacker when you're changing it and the final point here we call the password server the roach motel of passwords so passwords check in but they don't check out there's no way to using that password server protocol to harvest the passwords back all you can do is do an authentication through some secure challenge-response authentication method or change the password or set various options so the authentication methods I was talking about here here's some examples we have md5 digest cram md5 NT land manager and so on you may have seen these before but depending upon which service you're talking about there may be one or two off methods that are typically used by that service and these sort of came up over the years so we just put all of them into password server so all these things are supported and passwords server and we can work with a single password across all these services on mac OS x server so let's look at an example password server authentication the sequence that we would go through you have a four machines here there's the client the panthers server directory server and a password server and in some cases maybe the directory server and the password server might be the same machine that's the typical configuration but it could be different so for purposes of this illustration we're going to keep them separate so first the clients going to contact the service and send the various information about what user they're doing and potentially the response to the challenge and so on then once that the server has the user name it's going to oh wait okay the arrows going the wrong way so the the server looks like the user record in the directory server and then get the response back so it finds the the user record and the user record will have an authentication authority attribute that indicates it's a password server user so at that point the the server conducts authentication sort of a pass-through authentication against the password server from the perspective of the client none of this is really important but that's that's the sequence of steps so once that password server authentication from the the service happens then you have access to the service okay so what is Kerberos how many people here know about Kerberos are familiar with it okay everybody almost but I'll go through this anyway for those of you who are new to Kerberos because it's important so Kerberos is the secure network authentication protocol it doesn't deal with authorization which we talked about before but it's for authentication it was developed at MIT in the 1980s and there's actually a couple of versions in use there's Kerberos before which was the initial version and that has some some issues some security issues and and and problems with it so Kerberos v5 was the solution to the various issues with kerberos before and that's really what Apple is encouraging everyone to go with v4 is primarily around for legacy deployments and in most cases anything that's using before it's also using be five so they just have a few applications that are still on before and they the rest of the stuff runs on v5 so when you set up an open directory master for example we're just setting up Kerberos 35 and we're doing everything with kerberos e5 there's implementations available on various platforms throughout the industry so it's not just it's not just one vendor it's a standard which is important and it provides solutions to those three problems that I talked about earlier it proves the user's identity to the server securely it also proves the server's identity to the to the client and it provides what we call single sign-on so a single password dialog when you log in at the beginning of the day can unlock everything for that that entire day's session anything that's using kerberos can take advantage of that and still be secure not not just replaying the password constantly to get that feature so given all of these strengths Apple is adopting Kerberos throughout mac OS 10 so i know a lot of this is review for you for most of you can know about Kerberos but I'll just go through it quickly some definitions so a realm is a Kerberos namespace sort of the Kerberos version of a domain or a note or whatever you want to call it and generally these are always DNS stay up dns style names and they're all uppercase then we have a principal there's actually two kinds of principles so there could be user principal or service principal these are entities in the Kerberos database so user principal corresponds to user service principal corresponds to a service you can also have a host principal for a particular machine on the network and you have either user at the realm or server-side flash hostname at the realm as the style of name there and we have the key distribution center this is the the server that provides the it's the Kerberos server so it handles all of the transactions for sending the various authentication tokens around and we have we actually call those tickets so we have a ticket as the name for an authentication token or credential and this is used instead of a password so when you first connect to the service all you handed is the ticket and then it verifies the ticket and it has an expiration date so any ticket that you get can only potentially be compromised for a finite amount of time and then it's expired and no one's going to honor it anymore the the ticket granting ticket is a special kind of ticket which is what provides single sign-on so when you first log in at the Kerberos dialogue you get a TG t and then that TGT is used to later get other tickets for various services and that can be done transparently as long as the TGT is still valid and the service ticket which I mentioned already authenticates user to a service and that's granted as long as you have a valid TGT and the service principle name provided from the client so here's another example diagram we've got the client and the KDC in the middle and then the server so first the client requests a TGT this is assuming that you're coming to the machine and you don't yet have a TGT and then the teeth the TGT is returned with a client key and the client has a TGT and then some point later the client wants to access a service it sends the TGT and a request for a service ticket to the KDC it gets back the service ticket so now it has the TGT and the service ticket at this point it can contact the server so it sends the service ticket to the server and then the server verifies that and responds allows access to the service one thing to note here is that the server actually doesn't have to contact the KDC to verify the ticket because it has a service principle which is a shared secret between the the KDC and the server so that means there's part of the ticket which is encrypted by that that service key or the service principle and then it can it can verify that it decrypts properly so with all of these great things about Kerberos you have to wonder why hasn't it caught on in you know in more than the areas that it has why is it not used everywhere there's a few barriers to Kerberos adoption and we we tried to address all of these in Panther the first one requires you to deploy a KDC so that usually meant a lot of work and it wasn't really easy to do in Panther we we ship with a full KDC it's set up by default whenever you set up an open directory master and it's it's just a matter of picking one menu item in server admin to do it and entering a username and password to set it up so it's really simple another issue with with kerberos is how do you integrate it with a directory server and that there's a lot of times that would be a site-specific decision but in Panther we've integrated all the open directory tools with it and we've we've used the authentication authority attribute and come up with a standard way of integrating Kerberos end of the directory and doing that mapping between the two another problem is a lack of integrated user account management what this means is let's say that you're deploying Kerberos and ldap together what would you do when you set that up well every time you create a record in ldap you also need a user principal to go with it but the tools that use to do that might be completely different and so it would be a kind of a difficult thing to do and you'd have to go back and forth between different tools well in answer workgroup manager automatically creates the user principle as you create user records so as long as you have open directory set up whenever you create a user it's going to get a Kerberos principal created for it another problem is the the service and host principles are kind of difficult to manage you have to have all of the servers that are in your network be registered in the KDC so that they have that shared secret for the system to work and that could be potentially a difficult thing to manage so we we compose those in Panther server configuration tools and another thing that we've done is we actually allow you to put that information encrypted into the directory and use the directory as a mechanism to distribute those service principles so you can have potentially the the directory administrator create that record and then a completely different person who is the administrator of your file server can later grab that record enter a password and their password in order to to decrypt that record and that's all they need to do to set up Kerberos on that server another problem is you'd have to do command line level configuration of the Kerberos clients or potentially make an installer package that has your config file in it to distribute out to all of your users and then you have to go through the trouble of installing that everywhere copying the file which is kind of a problem in Panther we auto configure Kerberos all we do is we just put a record in the directory and the Panther and later clients are going to look for that so if they see that that Kerberos client record they'll just generate the the edgy MIT kerberos file from it and so you can you can centrally configure how you want the clients to be using Kerberos rather than having to do it over and over again and another problem which you have is which is very important is in the traditional Kerberos set up you would have no support for legacy network authentication what I mean by legacy network authentication is the beginning I was talking about all these challenge response protocols that authentication methods they're used by various protocols and normally you'd have to have all of your network services beyond Kerberos in order to integrate well what we've done in Panther is to actually integrate Kerberos with password server so there's one password between between Kerberos and password server whenever you change one it it sinks to the other so you have access to all the great features of Kerberos as well as continue to support the legacy network of Education which it's important if you have say a remote worker that's not going to be set up for kerberos but they do have they need to have access to a file server well you you might want to just allow them to do a traditional authentication for that or if they have an older platform that they can't upgrade to be able to support Kerberos I can still do the older authentication methods so going back through the benefits again we have single sign-on which is very convenient but it's still secure we're not just replaying passwords we have mutual authentication so you can trust when you're using a curb ride service that you are getting the same server that you thought it was before and another very important thing is client and server programs are out of the business of dealing with passwords so they're just they're just passing tickets around and and all of the prompting for passwords is handled by the Kerberos framework so your applications have to care about that and at some point in the future it may not be prompting for a password or it might be a password plus something else there might be a smart card or some biometric data that's being used as long as that process gets a TGT everything after that it's Kerber eyes will pick up that new non password based authentication for free so we really want to get everything on the Kerberos so we have this kind of flexibility to to expand in that area as i said before Kerberos is secure and it's cross-platform so some more features that we have in Panther once we had Kerberos and password server to really make this something useful to deploy we added secure multi-master replication support so what that means is you can have a bunch of machines all with the same password data and you can authenticate against any one of them you can change your password against any one of them and that change will propagate throughout the system so there's no single point of failure there and the clients were also updated so that they would matically failover to whatever is available so the client you know the user won't even necessarily know that the password server they were talking to you before happens to be down at the moment that you used a different one this time there's a support for password policies so you can force people to change their password or specify how what the minimum length is and so on and that can be done globally and on a per user basis we added the pw policy command-line tool and this is just providing the same functionality that we had in worker manager and and the server admin opened directly plug in but at the command line level so you can you can take advantage of that from a script or if you're administering through ssh you can do everything you need to do and don't forget crypt is dead okay no flaws but anyway crypt is still dead and that was that was accomplished in Panther that we actually already had password server and Jaguar but in Panther we replace the local users with their crib passwords with shadow hash and then we use kerberos and password server for network users so here's a screenshot of what the global password policy looks like in server admin so there's all kinds of things you can you can set there and then we have the per user password policy which is in workgroup manager so the message we want you to get here is that Apple is providing a complete solution we have Kerberos for security mutual authentication and single sign-on support password server supports your legacy your legacy needs all of this is done with replication and client-side failover we've got the administration tools both at the GUI level and command line and we're doing a lot of auto configuration for you so that it's really easy to add a system to use kerberos ooh you you get the Kerberos for free as long as you can connect to the ldap server so whatever you need to do to get ldap is all you need to use kerberos which if using DHCP is might be nothing at all so this point I'd like to bring up blue and Wallace to talk about our changes in tiger thanks Jason I like to talk about what we've done with medication and Tiger here first thing we've done is as many people have said before added password server support are actually added intel MV 2 supports password server we've added some password policy enforcement between the password server and the KDC added span ago for Active Directory support with smv and also with it's a pain and we've added some new Kerberos services so we're continuing upon our hour drive to curb eyes the entire OS so every open directory server has a however every password server has a Kerberos principal on that and it's used to sync up password changes between both the KDC and the password server and we've added for tiger we've added password policies in the password server are now honored by the KDC as our password and account expirations some of the new services we've got until start with the old services existing services asp ftp the mail troika there and ssh and login window or the old ones we've gotten Panther we've added ldap a espen a go for the web both client and server side and the smv stuff too for tiger I'd like to talk just give a quick overview of what kind of command line tools we have for kerberos now starting out these are the things that our single sign-on solutions are built on the mi T's got the oak adnan k db5 Yuto and Katie you tell of the Apple we've got flap config SSO you till on a bunch of others there they've all got man pages they're all at least reasonably intelligible I think started they are the MIT tools k admin is used to deal with surfer principles and user principles and policies k db5 util looks at the Kerberos database just as a database dumping it restoring it things like that Katie util manages the key tabs that you need on non servers and that there are other tools like can it k list k destroy those are user level things to be able to manage your ticket cash and stuff from the command line the Apple tools slab config was sort of the high level front end of it all it works with setting up the open directory setting up the KDC and doing a bunch of other things a lot of good stuff is in the slab config log if you are having trouble with things slap config log is one of the first places to look cydia it's one Kerberos auto config this is the this is the command line tool which is run whenever the search policy changes on the clients and that provides our client auto config stuff that's where it writes the edge of MIT dr. burroughs file out KDC setup creates the Kerberos client records in the directory and sets up the KDC curb service set up sets up the curb ride services and SSO you tell another high-level pool and it allows you to do a lot of things and configuring servers this way and also generating the stored config that Jason was alluding to earlier to allow the network administrator to delegate to delegate the responsibility of curb rising a specific server to a server admin rather than having to do it all I want all on themselves setting it up we prefer you to use the buoy to set up Kerberos just selecting the open directory master from the pop-up menu you can also use command line tools the folks at AFP 548 you know you're out there someplace have done an excellent job there's nothing I can add to what you've said you can do it by hand looking at the instructions from the Kerberos admin guide a little bit painful that's why we're doing all of this and when you want to integrate it into an existing Kerberos set up there are some things that you can do to an existing ldap server now adding the Kerberos client record to be able to get some of the benefits of our single sign-on stuffs and add the cripples client record that all your Panther clients will automatically configure for kerberos create Kerberos off authorities for your users and they'll all get T GTS on login setting up a Kerberos server you know you've got just one network admin one person who knows the master password for the day that the KDC database and such and lots of servers it's a real pain text you if you have to go out go out to each server and set it up manually so we've done is allowed the network administrator to delegate part of that set up to you network administrator's got to create a computer record and then attaches a Kerberos record and drew that our secure config record we call it and that contains the keytab file a list of authorized users and some other stuff and it's encrypted all to the set of it to set of admins to the dog that you've delegated to the delegated admin then grabs that record and decrypts it and then that installs the keytab file and kerberos could rise of the services this will also work now with active directory and so the just as an example of some of the things that we have in the directory right now KDC setups is the thing that creates the Kerberos client in Kerberos KDC records curbless planet record-- is again used for client setup whereas the Kerberos KDC record is used when you are replicating setting up replicated k DC's kerberos auto config pulls that data out of the Kerberos client record and puts it on here onto your jazz there then the SSO you tell is used to create the secure config records that or the SSO utility rate config command creates a config secure config records for the which allowed the network administrator to delegate to the to the server administrator and then SSO util use config takes that same configuration and then installs it in a server and crib Reisman server the Kerberos client record I don't know if everyone can see see that is a pretty straightforward XML translation of the edges of MIT kerberos file who need to edit this by hand it's not all that difficult you add you know domain realm mappings the various defaults realms and they're all of the other major tags in the edge at imaginate the kerberos file are supported and will be you know read out just fine the Kerberos KDC record is since we don't edit this at all it's just a more literal translation of the KDC comp record that you find down next to the Kerberos Kerberos database stuff and another useful useful record type or actually the property I think isn't it an attribute type Kerberos off authority it's used by login window to determine whether or not this user's carburized and that helps it get the TGT and also when you changing the password through system prefs it looks like this standard starts with the khoros-5 and there's some optional fields to do it the principal named realm name is not optional in the realm keys optional at minimum we want to see Kerberos five and then the realm and from that our code can figure out that the users principal name is going to be used the short name at the first short name at the realm name ideally we would like to see the actual use of principle in that authority and it'd be a good idea if you're creating these on your own to add the principal name as an additional short name I love make some things easier in the future like talk now about using Kerberos and your apps well things you need for kerberos development are of course a KDC in this case we would like to use my kitties Mac os10 server Mac os10 client your server processes and your new client processes like to talk about what you need to do when you have an existing protocol you know if you're writing a new new ftp client say or a new mail client you need to need to think about this charting some nuke if you're writing a completely new protocol now there are some other things need to think about and they're just stuff you need to decide I'd like to give you a demo of how are not a demo but a an explanation of how you use GSS generic security services API to do a kerberos authentication and then talk about things but you no longer need to worry about once you've curb erised your authentication so if you've got an existing protocols if it's http-based use what we've gotten foundation and CF network some of that's automatically done for you you'll automatically be in Aspen eggo support without what I'm going to do anything at all I recall if not then use look into sasal as a good RFC on it and it's and it's now fairly widely supported for other protocols ftp pop IMAP SSH there's all RFC's and standards on how you are supposed to do those things don't invent anything you don't have to it's not worth the trouble for new protocol yeah again if you're http-based UCF network you'll get that you'll get what you need for free use salsa with the GSS mechanisms if HTTP doesn't work for you if you need to roll your own use use the gssapi s they make things very easy and if that's not if that wind up being too limiting go with the curb 5 api's there and that so one of the things you need to decide when if you're creating a new a new protocol need to decide on the surface type here it's this in this case it's it's webcam and the rest of that is the just the service principal name then you need to find a way for the clients to construct the principal name it needs you know it can either get it implicitly from the dns address of the server like in the way ftp or ssh does now that leaves you dependent upon dns which can be either be a good thing or a bad thing or you can do it explicitly getting it from a secure source such as the such as the directory and that's typically a little bit more friendly but there's more infrastructure required you've got actually work at things so here's a simple kerberos authentication using GSS and this is after the users gotten their TGT so the first thing first things first the client needs to needs to figure out what the service principal is and then it calls calls GSS import name on that after that calls GSS and hits security context that goes and talks to the KDC asks for a service ticket service ticket comes back the client then sends that service ticket off to the server server calls GSS except security context and that pulls the pulls the server's key out of the keytab file server returns the GSS token and so at this at this point the client the server have both been authenticated to one another note that the server's only had to make one one call on the clients they had to make three calls out because of it the token has passed back into GSS and its security context server then needs to do some do an additional step of authorization the authorization that would be checking the client principle against an ACL or something like that and checking to see the D service principle that was veggie sent was indeed the surface principle of the server you actually are talking to and then to get an encrypted data stream between the two between the client of the server you can use the GSS or a pin GSS unwrapped commands GSS rapid crypt GSS unwrapped decrypt pretty much just that simple so in review here on the client side you call GSS import name just and GSS and its security context on the server side you accept that context and then on the client side you pass that the token that comes back into GSS in its security context you can actually go around this loop several times if there's a if there's an authentication mechanism that actually needs it Kerberos does not at this point oh then you then the server side needs to check this out check the authorization against an ACL or what have you and then GSS wrap and unwrap to provide your ok to provide your encrypted data transfer so that's pretty much all there is for gssapi and we've got sample code it will be available for download and it shows exactly how to do this stuff and this at it's rather simple so very number of things that you no longer need to worry about Jason alluded to some of them earlier you're out of the business is caring about the password the user doesn't have the TGT the library will prompt for it if new off methods are available those will be taken care of before you before you and you get called don't have to worry about tickets expiring the expiring tickets are handled by the library if you're worried about single points of failure and you've set up your note as an app developer you don't need to worry that there's that there may be only one KDC that's all taken care of in the in the infrastructure there the open Kerberos does failover very well and open directory does replication very well and that's pretty in summary apples investing heavily in Kerberos this is this is the way we're going we ship the MIT KDC in Kerberos client we are committed to keeping that open not taking anything proprietary here if you're writing a new authentication method talk to the Kerberos folks work work with it through there through that community get it put into Kerberos and then everybody will be able to take advantage of it any otton as a quiet developer any new off methods that are available you get for free because you've Kerber eyes and kerberos is and Apple's future in yours fit that's what we're doing so we've got some very good things there on more information on Kerberos one formation and kerberos protocols and there's the URL for the FP 548 set that is a information