> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team [email protected] - > Sébastien LACOSTE-SERIS.

> Nicolas FISCHBACH Senior IP&Security Engineer - Professional Services Team [email protected] - http://www.securite.org/nico/

> Sébastien LACOSTE-SERIS Security Officer - IP Research & Development Manager [email protected] - http://www.securite.org/kaneda/

version 1.2

Kerberos in an ISP environmentUNIX/Win2K/Cisco

Agenda

Kerberos > Introduction : why did we choose Kerberos ?> Protocol and Exchanges> Attacks

Deployment> UNIX> Cisco Routers and Switches> Win2K

Q&A

© 2001 Sécurité.Org

What is Kerberos ?

Kerberos is a network authentication protocol/system

Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks

Mutual authentication

Uses DES, 3DES and shared keys

Trusted third party

© 2001 Sécurité.Org

What is Kerberos not ?

Kerberos does not provide authorization only authentication

Kerberos does not provide data encryption

© 2001 Sécurité.Org

Why use Kerberos ?

Secure authentication (cryptography)

No password transmission

Single Sign On > SSO is bad for security (Bruce Schneier)

Centralized authentication management

IETF Standard (RFC 1510)

© 2001 Sécurité.Org

Kerberos vocabulary (1)

KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys

principal : three-tuple <primary name, instance, realm> > user : login/group@REALM > service : service/host.fqdn@REALM

primary : username or service name

instance : “qualifies” the primary (role)

realm : authentication domain

© 2001 Sécurité.Org

Kerberos vocabulary (2)

keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB (Cisco).

client : an entity that can obtain a ticket (user or host)

service : host, ftp, krbtgt, pop, etc.

ticket : credentials (identity of a client for a particular service)

TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm.

© 2001 Sécurité.Org

Key Distribution Center

Responsible for maintaining master keys for all principles and issuing Kerberos tickets

Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT)

Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS)

© 2001 Sécurité.Org

Realms

A Realm is an authentication domain > one Kerberos database and a set of KDCs

Hierarchical organization (new in v5)

One or two way authentication

Cross-realm authentication > transitive cross-realm > direct between realms

© 2001 Sécurité.Org

Kerberos Protocol (1)

Kerberos Ticket

© 2001 Sécurité.Org

Domain

Principal Name

Ticket Flags

Encryption Key

Domain

Principal Name

Start Time

End Time

Host Address

Authorization Data

Encrypted

t icket

Kerberos Protocol (2)

Kerberos Ticket Exchanges

Ports : kinit: 88/udp kpasswd (Unix): 749/tdp kpasswd (Win): 464/{tcp,udp}

© 2001 Sécurité.Org

Key Distribution Center

AuthenticationService

Ticket GrantingService

User Network Service

Kerberos Protocol (3)

Getting a Ticket Granting Ticket (1+2)

> (1) TGT Request

> (2) TGT (to be decrypted with the user’s password hash)

© 2001 Sécurité.Org

Client KDC

TGT Request (1)

TGT (2)

Kerberos Protocol (4)

Getting and using a Service Ticket (3+4+5)

> (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication

© 2001 Sécurité.Org

Client

KDC

Server

ST Request (3)

ST and SK (4)

ST (5)

NAT issues

Host address is included in the tickets (recommended)

Need to add NATed IP address in the ticket

Patch for MIT Kerberos 5.1

Create TGT without address (not recommended) :kinit -A <principal>

© 2001 Sécurité.Org

Attacks against Kerberos (1)

Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz)

Replay attacks : detected (C+S are time synchronized)

Exposed keys : keys have a limited lifetime but are multi-session keys

Temporary file vulnerability : run krb5-1.2.1+

© 2001 Sécurité.Org

Attacks against Kerberos (2)

Passwords guessing : use a good passphrase

Trojaned clients : OTP

Implicit trust between realms

Ticket forwarding

Others : KDC, shared workstations, ...

© 2001 Sécurité.Org

*NIX clients

RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14

OpenBSD and Solaris 2.8 now support Kerberos V

Solaris < 2.8 only provides Kerberos IV

© 2001 Sécurité.Org

Kerberos V on *NIX clients (1)

Authentication managed by Kerberos API

Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login

into account that account

~/.k5users - defines commands that can be launched via ksu (sudo like)

PAM alternatives

© 2001 Sécurité.Org

Kerberos V on *NIX clients (2)

Kerberized Telnet : available

Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > Kerberos V Patches available for OpenSSH : http://www.sxw.org.uk/computing/patches/

> OpenSSH 2.5.2 w/ Kerberos V on RedHat 7.1

© 2001 Sécurité.Org

Kerberos V on Cisco equipment (1)

Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined)

Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support)

© 2001 Sécurité.Org

Kerberos V on Cisco equipment (2)

IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise

> Not supported on all hardware, for example :- Cisco 16xx router- Cisco GSR (12xxx - Gigabit Switch Router)

> Memory requirements :

Hint: always check with the Cisco IOS Feature Navigator

© 2001 Sécurité.Org

Hardware IOS RAM / Flash26xx 12.0 32 / 8

12.1 48 / 1672xx 12.0 64 / 16

12.1 64 / 16

Kerberos V on Cisco equipment (3)

Router Configuration :aaa authentication login default krb5-telnet local

aaa authorization exec default krb5-instance

kerberos local-realm COLT.CH

kerberos srvtab entry host/[email protected] ...

kerberos server COLT.CH 192.168.0.14

kerberos instance map engineering 15

kerberos instance map support 3

kerberos credentials forward

line vty 0 4

ntp server 192.168.0.126

© 2001 Sécurité.Org

Kerberos V on Cisco equipment (4)

CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x

> Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K

> Memory requirements :

Hint: always check the Release Notes

© 2001 Sécurité.Org

Hardware CatOs Memory4000 5.2+ 64

6.1 646000 5.4+ 64

6.1 64 (SE1)

Kerberos V on Cisco equipment (5)

Switch Configuration :#kerberos

set kerberos local-realm COLT.CH

set kerberos clients mandatory

set kerberos credentials forward

set kerberos server COLT.CH 192.168.0.82 88

set kerberos srvtab entry host/[email protected] ...

#authentication

set authentication login kerberos enable telnet primary

set authentication enable kerberos enable telnet primary

#ntp

set ntp client enable

set ntp server 192.168.0.11

© 2001 Sécurité.Org

Kerberos V on Win2K stations (1)

Provides Kerberos authentication for interactive logons

The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority)

Ticket cache is provided by the LSA

Telnetd supports Kerberos

© 2001 Sécurité.Org

Kerberos V on Win2K stations (2)

Support Tools

Win2K station configuration : ksetup /setdomain COLT.CH ksetup /addkdc COLT.CH kdc.colt.ch ksetup /setmachpassword password ksetup /mapuser [email protected] localuser ksetup /mapuser * *

Windows Time Server (+ registry)

No kerberized SSH, only a few (broken) telnet clients

© 2001 Sécurité.Org

That’s all folks :-)

Latest version< http://www.securite.org/presentations/krb5/ >

Q&A

© 2001 Sécurité.Org

Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html