Cross cell AFS authentication using Kerberos 5

50 %
50 %
Information about Cross cell AFS authentication using Kerberos 5
Entertainment

Published on November 2, 2007

Author: Wanderer

Source: authorstream.com

Cross cell AFS authentication using Kerberos 5:  Cross cell AFS authentication using Kerberos 5 HEPiX-HEPNT Vancouver, October 21st 2003 Enrico M.V. Fasanelli Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Once upon a time…:  Once upon a time… Tree AFS cells: pi.infn.it, infn.it, le.infn.it (1996) A “bad” day (1996) Transarc said: “Dear customer, forget your AFS, and look at the new DCE/DFS” DCE/DFS “new” features Per file ACL Transitive hierarchical cross cell authentication INFN DCE/DFS WG (born in 09/96)  Not usable (see Gomezel @ HTASC # 7) …in the meantime…:  …in the meantime… Transarc modifies the support policy for AFS Two revisions to the US export regulations (Jannuary and October 2000) made Kerberos5 MIT code available outside US The release of the AFS source code to Open Source world (Halloween 2000) leads to the OpenAFS project. …and now:  …and now Local AFS cells also in INFN labs (LNGS and LNF) and in a lab, one cell for the KLOE experiment. New AFS cell roma1.infn.it is ready to start in production AFS, in the INFN, is losing the original “goal” of single distributed filesystem, for transparent resource sharing among INFN sections and labs The “needs” of MIT Kerberos 5:  The “needs” of MIT Kerberos 5 The current AFS setup, allows “restricted” file sharing (ACL) only between users belonging to the same cell  we need AFS cross cell authentication Cross cell AFS authentication using KerberosIV is de facto prohibited after MITKRB5-SA-2003-004 (March 17th).  we need Kerberos5 OpenAFS is moving toward Kerberos5 rxkad2d protocol MIT Kerberos5 provides support for AFS authentication fakeka is now included in Kerberos5 1.3 distribution Windows 2000/XP works with MIT KDCs Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future K5 cross realm trust relationships:  K5 cross realm trust relationships Any principal in one REALM is authenticated against any other principal in the other realm resource access (and then sharing) is “transparent” REALM A REALM B krbtgt/REALM.B@REALM.A krbtgt/REALM.B@REALM.A K5 cross realm trust relationships:  K5 cross realm trust relationships REALM.B REALM A principal user@REALM.A telnet –a server.realm.B K5 cross realm transitive trust relationships:  K5 cross realm transitive trust relationships Trust relationship IS transitive Hierarchical (set-up by default in an automatic way within the same domain) Via [CAPATH] Kerberos5 configuration AFS cross cell authentication:  AFS cross cell authentication First define the appropriate PTS entries in each cell Use kinit to obtain your Kerberos5 TGT aklog obtain the AFS token using the K5 TGT aklog <externalcell> create entry in the PTS database of externalcell (if not already) obtain an AFS tokens belonging to externalcell AFS cell cell.A AFS cell cell.B system:authuser@cell.B system:authuser@cell.A user@cell.A AFS id 4 for afs@cell.B user@cell.B AFS id 4 for afs@cell.A Practice:  Practice Preliminary tests in April 2003 RedHat 7.3/8.0 MIT Kerberos5 1.2.7 OpenAFS 1.2.8 Configured 5 REALMS and corresponding AFS cells [le. cnaf. pi. lnf.]krb5test.infn.it Defined bi-directional trusts between Top Level REALM and any other below It works !:  It works ! krb5test.infn.it LE.krb5test.infn.it LNF.krb5test.infn.it CNAF.krb5test.infn.it PI.krb5test.infn.it Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future K5 @ INFN.IT:  K5 @ INFN.IT Pilot (and then production) for INFN.IT WAN Kerberos5 REALM to be used at least for cross cell AFS authentication 10 people involved in 6 INFN Sections/Lab (CNAF, LNF, LE, PI, Roma1, TS) Presented, discussed, approved, funded in the last meeting (2003/10/7-9) of INFN “Commissione Calcolo e Reti” (Computing and Network Committee) Will start soon (we are buying the HW) Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Last minute tests: environment:  Last minute tests: environment Started last week (after the OK of CCR) Kerberos5 1.3.1 (available since July 31st 2003)  Includes fakeka  krb524 library missing (library functions available in libkrb5 now) OpenAFS 1.2.10 available since August 5th 2003  Includes kerberos5-related executables (aklog) Linked against 1.2.7 kerberos libraries Configuration hacking for pointing to new Kerberos5 library layout RedHat 9  krb5-1.3.1 src.rpm available on the rawhide and is “tuned” on the RH9 Last minute tests: results:  Last minute tests: results At today 7:00 PM GMT+1 (10:00 AM local time) Three new Kerberos5 REALMs, and corresponding AFS cells: [LE. CNAF.]KRB5TEST.INFN.IT LE and CNAF Kerberos REALMs are cross authenticated against the parent AFS cross cell authentication between LE and CNAF cells established Everything seems work well (even better than previous version) Agenda:  Agenda Why? Theory and practice on Kerberos5 cross realm transitive hierarchical authentication AFS cross cell authentication K5 @ INFN.IT Last minute tests Future Future:  Future INFN will have his INFN.IT Kerberos5 REALM spread on WAN Every INFN section or lab with a local AFS cell can use it for cross-authenticating their AFS cells In such a Kerberized environment we could use TELNET and FTP again, in a secure way. ?

Add a comment

Related presentations

Related pages

K erberos, AFS and SSH for your Understanding

... AFS and SSH for your Understanding. ... Seminar 5 Kerberos Authentication with shared ... NOT get an AFS token using ssh key authentication
Read more

[OpenAFS] Kerberos with AFS

AFS authentication is not. AFS was designed to be ... kerberos 5. > > 2. Why not to use AFS for ... > groups you're using to do access control in your cell.
Read more

Cross-Realm Authentication

Kerberos Cross-Realm Authentication ... 2009 OpenAFS European Meeting 5 Cross-Realm Authentication Flow Steps •! ... Using AFS in Cross-Realm Environment
Read more

aklog - Obtain tokens for authentication to AFS

... Obtain tokens for authentication to AFS ... to a cell in AFS by obtaining AFS tokens using a Kerberos 5 ... If the AFS cell is linked to ...
Read more

OpenAFS for Windows 1.5.6 Release Notes

AFS cells can be ... of Kerberos cross realm authentication to enable ... of Kerberos 4 with AFS. By using Kerberos 5 directly ...
Read more

3.2. Requirements for Kerberos v5 Authentication

... v4 with AFS. By using Kerberos v5 directly we avoid the security holes inherent in Kerberos v4 cross ... to the cell name for authentication.
Read more

[OpenAFS] Kerberos 5 encryption types and AFS

... > We run an AFS cell with a kerberos 5 kdc and still have krb5/kas > authentication ... linked against one Kerberos library and then using a ...
Read more

3.2. Requirements for Kerberos v5 Authentication

These tools provide support for Kerberos v5 authentication ... to AFS services using Kerberos v5 ... AFS cell names and Kerberos realm ...
Read more

Explain like I’m 5: Kerberos - Home – roguelynn

Explain like I’m 5: Kerberos ... a protocol for authentication; uses tickets to authenticate; avoids storing passwords locally or sending them over the ...
Read more