WWDC2004 Session 640

Transcript

Kind: captions
Language: en
right hello welcome to inside network
authentication my name is jason Thompson
I work on open directory in various
capacities so today we're going to talk
about first giving an introduction to
what we mean by network authentication
and then go through the feature set that
we have in Panther both in password
server and kerberos just to review then
talk about all the new features we're
adding in tiger go through some of the
command line tools you might use and
also some examples of how you can use
kerberos in your applications and then
finish up with questions and answers so
what is network authentication well
authentication is proof of identity so
you can think of for example if you have
a badge where you work the when you
present that badge to a reader that's a
form of authentication because you're
proving that you are who the badge
indicates that you are because you have
possession of that badge so we need to
keep in mind that this is not the same
thing as authorization it sounds very
similar but authorization is actually
whether you can access a particular
service or not so in the case of the
badge it could be that I have an apple
batch but I still don't have access to
the super-secret hardware lab where all
the new prototypes are because I'm just
a lowly software engineer so I have I
can successfully authenticate but I'm
not authorized for a particular services
another thing once we think about this
on the network the first thing you may
think of doing is just sending the
username and password that the user
types in into your dialogue directly
across the network but that's kind of a
bad idea because you can't trust the
network in general there could be you
know the server that you're connecting
to may not be what you think it is there
could be someone interposing between you
and the actual service that you're using
or you know just using TCP dump to sniff
your network traffic since we TC good
TCP dump is part of every
Mac os10 machine so and there's a they
could have a hardware sniffer on the
network so you have to assume that the
network is insecure and there's there's
three main problems that we want to
solve with network authentication first
of all we need to prove the user's
identity to the service securely and
then we also need to prove the server's
identity to the user that goes back to
what I was talking about where you're
not sure if the server that you're
connecting to is what you think it is so
if you have some way independent of the
network stack to prove to the client
what it is that gives you a lot more
confidence and using that service and
finally when you're when you're dealing
with network authentication you want to
avoid asking the user to enter their
password over and over and over again
but also you don't want to necessarily
always store it somewhere because that
could be insecure so we need a better
solution to that so the next step beyond
just sending the password in the clear
would be to do a challenge-response
authentication so the sequence goes
something like this here we have a
client and a server and first the client
could send the user name to the server
server would respond with a random
challenge and finally the client sends
back a response the response is a
function of the challenge and the
password and it could also incorporate
the user name maybe other information
the other thing to keep in mind here is
actually in some authentication methods
the challenge is actually sent before
the username so depending upon what off
method we're talking about it might be a
little different but that's the basic
idea and Apple has something called
password server which we had in in Mac
OS 10 server since 10.2 and that is our
solution for challenge response
authentication it supports a wide
variety of authentication methods it's
based on the simple authentication and
security layer or sasal
which developed by Carnegie Mellon which
is a library that allows you to abstract
these various challenge-response
authentication methods and provides a
lot of code to do that and make it
easier it's also a standard for various
network protocols password server also
has a secure way of changing your
password so even though you're doing
that over the network that's happening
through an encrypted channel and you
don't have to worry about your password
being picked up by an attacker when
you're changing it and the final point
here we call the password server the
roach motel of passwords so passwords
check in but they don't check out
there's no way to using that password
server protocol to harvest the passwords
back all you can do is do an
authentication through some secure
challenge-response authentication method
or change the password or set various
options so the authentication methods I
was talking about here here's some
examples we have md5 digest cram md5 NT
land manager and so on you may have seen
these before but depending upon which
service you're talking about there may
be one or two off methods that are
typically used by that service and these
sort of came up over the years so we
just put all of them into password
server so all these things are supported
and passwords server and we can work
with a single password across all these
services on mac OS x server so let's
look at an example password server
authentication the sequence that we
would go through you have a four
machines here there's the client the
panthers server directory server and a
password server and in some cases maybe
the directory server and the password
server might be the same machine that's
the typical configuration but it could
be different so for purposes of this
illustration we're going to keep them
separate so first the clients going to
contact the service and send the various
information about what user they're
doing and potentially the response to
the challenge and so on
then once that the server has the user
name it's going to oh wait okay the
arrows going the wrong way so the the
server looks like the user record in the
directory server and then get the
response back so it finds the the user
record and the user record will have an
authentication authority attribute that
indicates it's a password server user so
at that point the the server conducts
authentication sort of a pass-through
authentication against the password
server from the perspective of the
client none of this is really important
but that's that's the sequence of steps
so once that password server
authentication from the the service
happens then you have access to the
service okay so what is Kerberos how
many people here know about Kerberos are
familiar with it okay everybody almost
but I'll go through this anyway for
those of you who are new to Kerberos
because it's important so Kerberos is
the secure network authentication
protocol it doesn't deal with
authorization which we talked about
before but it's for authentication it
was developed at MIT in the 1980s and
there's actually a couple of versions in
use there's Kerberos before which was
the initial version and that has some
some issues some security issues and and
and problems with it so Kerberos v5 was
the solution to the various issues with
kerberos before and that's really what
Apple is encouraging everyone to go with
v4 is primarily around for legacy
deployments and in most cases anything
that's using before it's also using be
five so they just have a few
applications that are still on before
and they the rest of the stuff runs on
v5 so when you set up an open directory
master for example we're just setting up
Kerberos 35 and we're doing everything
with kerberos e5 there's implementations
available on various platforms
throughout the industry so it's not just
it's not just one vendor it's a standard
which is important and it provides
solutions to those three problems that I
talked about earlier it proves the
user's identity to the server securely
it also proves the server's identity to
the to the client and it provides what
we call single sign-on so a single
password dialog when you log in at the
beginning of the day can unlock
everything for that that entire day's
session anything that's using kerberos
can take advantage of that and still be
secure not not just replaying the
password constantly to get that feature
so given all of these strengths Apple is
adopting Kerberos throughout mac OS 10
so i know a lot of this is review for
you for most of you can know about
Kerberos but I'll just go through it
quickly some definitions so a realm is a
Kerberos namespace sort of the Kerberos
version of a domain or a note or
whatever you want to call it and
generally these are always DNS stay up
dns style names and they're all
uppercase then we have a principal
there's actually two kinds of principles
so there could be user principal or
service principal these are entities in
the Kerberos database so user principal
corresponds to user service principal
corresponds to a service you can also
have a host principal for a particular
machine on the network and you have
either user at the realm or server-side
flash hostname at the realm as the style
of name there and we have the key
distribution center this is the the
server that provides the it's the
Kerberos server so it handles all of the
transactions for sending the various
authentication tokens around and we have
we actually call those tickets so we
have a ticket as the name for an
authentication token or credential and
this is used instead of a password so
when you first
connect to the service all you handed is
the ticket and then it verifies the
ticket and it has an expiration date so
any ticket that you get can only
potentially be compromised for a finite
amount of time and then it's expired and
no one's going to honor it anymore the
the ticket granting ticket is a special
kind of ticket which is what provides
single sign-on so when you first log in
at the Kerberos dialogue you get a TG t
and then that TGT is used to later get
other tickets for various services and
that can be done transparently as long
as the TGT is still valid and the
service ticket which I mentioned already
authenticates user to a service and
that's granted as long as you have a
valid TGT and the service principle name
provided from the client so here's
another example diagram we've got the
client and the KDC in the middle and
then the server so first the client
requests a TGT this is assuming that
you're coming to the machine and you
don't yet have a TGT and then the teeth
the TGT is returned with a client key
and the client has a TGT and then some
point later the client wants to access a
service it sends the TGT and a request
for a service ticket to the KDC it gets
back the service ticket so now it has
the TGT and the service ticket at this
point it can contact the server so it
sends the service ticket to the server
and then the server verifies that and
responds allows access to the service
one thing to note here is that the
server actually doesn't have to contact
the KDC to verify the ticket because it
has a service principle which is a
shared secret between the the KDC and
the server so that means there's part of
the ticket which is encrypted by that
that service key or the service
principle and then it can it can verify
that it decrypts properly
so with all of these great things about
Kerberos you have to wonder why hasn't
it caught on in you know in more than
the areas that it has why is it not used
everywhere there's a few barriers to
Kerberos adoption and we we tried to
address all of these in Panther the
first one requires you to deploy a KDC
so that usually meant a lot of work and
it wasn't really easy to do in Panther
we we ship with a full KDC it's set up
by default whenever you set up an open
directory master and it's it's just a
matter of picking one menu item in
server admin to do it and entering a
username and password to set it up so
it's really simple another issue with
with kerberos is how do you integrate it
with a directory server and that there's
a lot of times that would be a
site-specific decision but in Panther
we've integrated all the open directory
tools with it and we've we've used the
authentication authority attribute and
come up with a standard way of
integrating Kerberos end of the
directory and doing that mapping between
the two another problem is a lack of
integrated user account management what
this means is let's say that you're
deploying Kerberos and ldap together
what would you do when you set that up
well every time you create a record in
ldap you also need a user principal to
go with it but the tools that use to do
that might be completely different and
so it would be a kind of a difficult
thing to do and you'd have to go back
and forth between different tools well
in answer workgroup manager
automatically creates the user principle
as you create user records so as long as
you have open directory set up whenever
you create a user it's going to get a
Kerberos principal created for it
another problem is the the service and
host principles are kind of difficult to
manage you have to have all of the
servers that are in your network be
registered in the KDC so that they have
that shared secret
for the system to work and that could be
potentially a difficult thing to manage
so we we compose those in Panther server
configuration tools and another thing
that we've done is we actually allow you
to put that information encrypted into
the directory and use the directory as a
mechanism to distribute those service
principles so you can have potentially
the the directory administrator create
that record and then a completely
different person who is the
administrator of your file server can
later grab that record enter a password
and their password in order to to
decrypt that record and that's all they
need to do to set up Kerberos on that
server another problem is you'd have to
do command line level configuration of
the Kerberos clients or potentially make
an installer package that has your
config file in it to distribute out to
all of your users and then you have to
go through the trouble of installing
that everywhere copying the file which
is kind of a problem in Panther we auto
configure Kerberos all we do is we just
put a record in the directory and the
Panther and later clients are going to
look for that so if they see that that
Kerberos client record they'll just
generate the the edgy MIT kerberos file
from it and so you can you can centrally
configure how you want the clients to be
using Kerberos rather than having to do
it over and over again and another
problem which you have is which is very
important is in the traditional Kerberos
set up you would have no support for
legacy network authentication what I
mean by legacy network authentication is
the beginning I was talking about all
these challenge response protocols that
authentication methods they're used by
various protocols and normally you'd
have to have all of your network
services beyond Kerberos in order to
integrate well what we've done in
Panther is to actually integrate
Kerberos with password server so there's
one password between between Kerberos
and password server whenever you change
one it it sinks to the other so you have
access to all the
great features of Kerberos as well as
continue to support the legacy network
of Education which it's important if you
have say a remote worker that's not
going to be set up for kerberos but they
do have they need to have access to a
file server well you you might want to
just allow them to do a traditional
authentication for that or if they have
an older platform that they can't
upgrade to be able to support Kerberos I
can still do the older authentication
methods so going back through the
benefits again we have single sign-on
which is very convenient but it's still
secure we're not just replaying
passwords we have mutual authentication
so you can trust when you're using a
curb ride service that you are getting
the same server that you thought it was
before and another very important thing
is client and server programs are out of
the business of dealing with passwords
so they're just they're just passing
tickets around and and all of the
prompting for passwords is handled by
the Kerberos framework so your
applications have to care about that and
at some point in the future it may not
be prompting for a password or it might
be a password plus something else there
might be a smart card or some biometric
data that's being used as long as that
process gets a TGT everything after that
it's Kerber eyes will pick up that new
non password based authentication for
free so we really want to get everything
on the Kerberos so we have this kind of
flexibility to to expand in that area as
i said before Kerberos is secure and
it's cross-platform so some more
features that we have in Panther once we
had Kerberos and password server to
really make this something useful to
deploy we added secure multi-master
replication support so what that means
is you can have a bunch of machines all
with the same password data and you can
authenticate against any one of them you
can change your password against any one
of them and that change will propagate
throughout the system so there's no
single point of failure there and the
clients were also updated so that they
would
matically failover to whatever is
available so the client you know the
user won't even necessarily know that
the password server they were talking to
you before happens to be down at the
moment that you used a different one
this time there's a support for password
policies so you can force people to
change their password or specify how
what the minimum length is and so on and
that can be done globally and on a per
user basis we added the pw policy
command-line tool and this is just
providing the same functionality that we
had in worker manager and and the server
admin opened directly plug in but at the
command line level so you can you can
take advantage of that from a script or
if you're administering through ssh you
can do everything you need to do and
don't forget crypt is dead okay no flaws
but anyway crypt is still dead and that
was that was accomplished in Panther
that we actually already had password
server and Jaguar but in Panther we
replace the local users with their crib
passwords with shadow hash and then we
use kerberos and password server for
network users so here's a screenshot of
what the global password policy looks
like in server admin so there's all
kinds of things you can you can set
there and then we have the per user
password policy which is in workgroup
manager so the message we want you to
get here is that Apple is providing a
complete solution we have Kerberos for
security mutual authentication and
single sign-on support password server
supports your legacy your legacy needs
all of this is done with replication and
client-side failover we've got the
administration tools both at the GUI
level and command line and we're doing a
lot of auto configuration for you so
that it's really easy to add a system to
use kerberos ooh you you get the
Kerberos for free as long as you can
connect to the ldap server so whatever
you need to do to get ldap is all you
need to use kerberos which if using DHCP
is might be nothing at all so this point
I'd like to bring up blue and Wallace to
talk about our changes in tiger
thanks Jason I like to talk about what
we've done with medication and Tiger
here first thing we've done is as many
people have said before added password
server support are actually added intel
MV 2 supports password server we've
added some password policy enforcement
between the password server and the KDC
added span ago for Active Directory
support with smv and also with it's a
pain and we've added some new Kerberos
services so we're continuing upon our
hour drive to curb eyes the entire OS so
every open directory server has a
however every password server has a
Kerberos principal on that and it's used
to sync up password changes between both
the KDC and the password server and
we've added for tiger we've added
password policies in the password server
are now honored by the KDC as our
password and account expirations some of
the new services we've got until start
with the old services existing services
asp ftp the mail troika there and ssh
and login window or the old ones we've
gotten Panther we've added ldap a espen
a go for the web both client and server
side and the smv stuff too for tiger I'd
like to talk just give a quick overview
of what kind of command line tools we
have for kerberos now starting out these
are the things that our single sign-on
solutions are built on the mi T's got
the oak adnan k db5 Yuto and Katie you
tell of the Apple we've got flap config
SSO you till on a bunch of others there
they've all got man pages they're all at
least reasonably intelligible I think
started
they are the MIT tools k admin is used
to deal with surfer principles and user
principles and policies k db5 util looks
at the Kerberos database just as a
database dumping it restoring it things
like that Katie util manages the key
tabs that you need on non servers and
that there are other tools like can it k
list k destroy those are user level
things to be able to manage your ticket
cash and stuff from the command line the
Apple tools slab config was sort of the
high level front end of it all it works
with setting up the open directory
setting up the KDC and doing a bunch of
other things a lot of good stuff is in
the slab config log if you are having
trouble with things slap config log is
one of the first places to look cydia
it's one Kerberos auto config this is
the this is the command line tool which
is run whenever the search policy
changes on the clients and that provides
our client auto config stuff that's
where it writes the edge of MIT dr.
burroughs file out KDC setup creates the
Kerberos client records in the directory
and sets up the KDC curb service set up
sets up the curb ride services and SSO
you tell another high-level pool and it
allows you to do a lot of things and
configuring servers this way and also
generating the stored config that Jason
was alluding to earlier to allow the
network administrator to delegate to
delegate the responsibility of curb
rising a specific server to a server
admin rather than having to do it all I
want all on themselves setting it up we
prefer you to use the buoy to set up
Kerberos just selecting the open
directory master from the pop-up menu
you can also use command line tools the
folks at AFP 548 you know you're out
there someplace have done an excellent
job there's nothing I can add to what
you've said
you can do it by hand looking at the
instructions from the Kerberos admin
guide a little bit painful that's why
we're doing all of this and when you
want to integrate it into an existing
Kerberos set up there are some things
that you can do to an existing ldap
server now adding the Kerberos client
record to be able to get some of the
benefits of our single sign-on stuffs
and add the cripples client record that
all your Panther clients will
automatically configure for kerberos
create Kerberos off authorities for your
users and they'll all get T GTS on login
setting up a Kerberos server you know
you've got just one network admin one
person who knows the master password for
the day that the KDC database and such
and lots of servers it's a real pain
text you if you have to go out go out to
each server and set it up manually so
we've done is allowed the network
administrator to delegate part of that
set up to you network administrator's
got to create a computer record and then
attaches a Kerberos record and drew that
our secure config record we call it and
that contains the keytab file a list of
authorized users and some other stuff
and it's encrypted all to the set of it
to set of admins to the dog that you've
delegated to the delegated admin then
grabs that record and decrypts it and
then that installs the keytab file and
kerberos could rise of the services this
will also work now with active directory
and so the just as an example of some of
the things that we have in the directory
right now KDC setups is the thing that
creates the Kerberos client in Kerberos
KDC records curbless planet record-- is
again used for client setup whereas the
Kerberos KDC record is used when you are
replicating
setting up replicated k DC's kerberos
auto config pulls that data out of the
Kerberos client record and puts it on
here onto your jazz there then the SSO
you tell is used to create the secure
config records that or the SSO utility
rate config command creates a config
secure config records for the which
allowed the network administrator to
delegate to the to the server
administrator and then SSO util use
config takes that same configuration and
then installs it in a server and crib
Reisman server the Kerberos client
record I don't know if everyone can see
see that is a pretty straightforward XML
translation of the edges of MIT kerberos
file who need to edit this by hand it's
not all that difficult you add you know
domain realm mappings the various
defaults realms and they're all of the
other major tags in the edge at
imaginate the kerberos file are
supported and will be you know read out
just fine the Kerberos KDC record is
since we don't edit this at all it's
just a more literal translation of the
KDC comp record that you find down next
to the Kerberos Kerberos database stuff
and another useful useful record type or
actually the property I think isn't it
an attribute type Kerberos off authority
it's used by login window to determine
whether or not this user's carburized
and that helps it get the TGT and also
when you changing the password through
system prefs it looks like this standard
starts with the khoros-5 and there's
some optional fields to do it the
principal named realm name is not
optional in the realm keys optional at
minimum we want to see Kerberos five and
then the realm and from that
our code can figure out that the users
principal name is going to be used the
short name at the first short name at
the realm name ideally we would like to
see the actual use of principle in that
authority and it'd be a good idea if
you're creating these on your own to add
the principal name as an additional
short name I love make some things
easier in the future like talk now about
using Kerberos and your apps well things
you need for kerberos development are of
course a KDC in this case we would like
to use my kitties Mac os10 server Mac
os10 client your server processes and
your new client processes like to talk
about what you need to do when you have
an existing protocol you know if you're
writing a new new ftp client say or a
new mail client you need to need to
think about this charting some nuke if
you're writing a completely new protocol
now there are some other things need to
think about and they're just stuff you
need to decide I'd like to give you a
demo of how are not a demo but a an
explanation of how you use GSS generic
security services API to do a kerberos
authentication and then talk about
things but you no longer need to worry
about once you've curb erised your
authentication so if you've got an
existing protocols if it's http-based
use what we've gotten foundation and CF
network some of that's automatically
done for you you'll automatically be in
Aspen eggo support without what I'm
going to do anything at all I recall if
not then use look into sasal as a good
RFC on it and it's and it's now fairly
widely supported for other protocols ftp
pop IMAP SSH there's all RFC's and
standards on how you are supposed to do
those things don't invent anything you
don't have to it's not worth the trouble
for new protocol yeah again if you're
http-based UCF network you'll get that
you'll get what you need for free use
salsa with the GSS mechanisms if HTTP
doesn't work for you if you need to roll
your own use use the gssapi s they make
things very easy and if that's not if
that wind up being too limiting go with
the curb 5 api's there and that so one
of the things you need to decide when if
you're creating a new a new protocol
need to decide on the surface type here
it's this in this case it's it's webcam
and the rest of that is the just the
service principal name then you need to
find a way for the clients to construct
the principal name it needs you know it
can either get it implicitly from the
dns address of the server like in the
way ftp or ssh does now that leaves you
dependent upon dns which can be either
be a good thing or a bad thing or you
can do it explicitly getting it from a
secure source such as the such as the
directory and that's typically a little
bit more friendly but there's more
infrastructure required you've got
actually work at things so here's a
simple kerberos authentication using GSS
and this is after the users gotten their
TGT so the first thing first things
first the client needs to needs to
figure out what the service principal is
and then it calls calls GSS import name
on that after that calls GSS and hits
security context that goes and talks to
the KDC asks for a service ticket
service ticket comes back the client
then sends that service ticket off to
the server server calls GSS except
security context and that pulls the
pulls the server's key out of the keytab
file server returns the GSS token and so
at this at this point the client the
server have both been authenticated to
one another note that the server's only
had to make one one call on the clients
they had to make three calls out because
of it the token has passed back into GSS
and its security context server then
needs to do some do an additional step
of authorization the authorization that
would be checking the client principle
against an ACL or something like that
and checking to see the D service
principle that was veggie sent was
indeed the surface principle of the
server you actually are talking to and
then to get an encrypted data stream
between the two between the client of
the server you can use the GSS or a pin
GSS unwrapped commands GSS rapid crypt
GSS unwrapped decrypt pretty much just
that simple so in review here on the
client side you call GSS import name
just and GSS and its security context on
the server side you accept that context
and then on the client side you pass
that the token that comes back into GSS
in its security context you can actually
go around this loop several times if
there's a if there's an authentication
mechanism that actually needs it
Kerberos does not at this point oh then
you then the server side needs to check
this out check the authorization against
an ACL or what have you and then GSS
wrap and unwrap to provide your ok to
provide your encrypted data transfer so
that's pretty much all there is for
gssapi and we've got sample code it will
be available for download and it shows
exactly how to do this stuff and this at
it's rather simple so very number of
things that you no longer need to worry
about Jason alluded to some of them
earlier you're out of the business is
caring about the password the user
doesn't have the TGT the library will
prompt for it if new off methods are
available those will be taken care of
before you before you and you get called
don't have to worry about tickets
expiring the expiring tickets are
handled by the library
if you're worried about single points of
failure and you've set up your note as
an app developer you don't need to worry
that there's that there may be only one
KDC that's all taken care of in the in
the infrastructure there the open
Kerberos does failover very well and
open directory does replication very
well and that's pretty in summary apples
investing heavily in Kerberos this is
this is the way we're going we ship the
MIT KDC in Kerberos client we are
committed to keeping that open not
taking anything proprietary here if
you're writing a new authentication
method talk to the Kerberos folks work
work with it through there through that
community get it put into Kerberos and
then everybody will be able to take
advantage of it any otton as a quiet
developer any new off methods that are
available you get for free because
you've Kerber eyes and kerberos is and
Apple's future in yours fit that's what
we're doing so we've got some very good
things there on more information on
Kerberos one formation and kerberos
protocols and there's the URL for the FP
548 set that is a information