Kerberos Authentication

By: Mike Kimball & Darren Davis - Revised: 2006-07-03 devin

Introduction

An overview of Mac OS Support's labs deployment of Kerberos for authentication.


What is Kerberos?

Kerberos is an authentication protocol, named after the Greek multi-headed dog that guarded the entrance to the underworld (Cerberus is the Roman spelling and is, contrary to Americanized views, pronounced "Ker-ber-ous"). Developed by MIT, Kerberos provides security on physically insecure networks. Kerberos is now becoming an IETF standard for a standard authentication protocol.
"Most moderately-sized to large computer systems use some form of password protection scheme to authenticate users; that is, they require users who wish to logon to give both their names and a secret passwords that only they and the computer system know. Anyone who happens to know the password can claim to be that user. It is therefore desirable to prevent people from listening in on the conversation between the computer and the user's workstation or terminal.

"This is relatively easy in the case of terminals directly connected to the main computer, since each terminal has its own cable. In a local-area network, several (typically between 10 and 200) computers share one cable, and any computer can listen in on any network traffic. With the advent of network monitoring packages for IBM PCs and similar machines, it is relatively easy for a determined user to set up a program to listen in on a network for any and all passwords being sent over it. This would allow an intruder to masquerade as someone else, violating his or her privacy and perhaps stealing information (academic or otherwise). Note that The Electronic Communications Privacy Act of 1986 makes this a Federal crime punishable by lots of nasty stuff (ask your lawyer for details).

"Kerberos uses a standard encryption-based authentication technique with a few variations designed to increase ease of use across administrative entities and reduce the number of possible 'attacks' on the system. The system uses cryptographically sealed tickets and authenticators which may be passed over the network and decrypted only by a user or machine which knows the appropriate encryption/decryption key."

-- http://itinfo.mit.edu/article.php?id=6805
We're using Kerberos to secure our open-access machines by requiring patrons to logon before they can use the machine. Here are some important links (downloads, installation notes, configuration, other useful info)
MIT Kerberos for Macintosh
MIT Kerberos Documentation
Kerberos Mailing List site
Apple Developer Connection documentation on Kerberos (link dead)

Why use Kerberos (instead of other authentication protocols)?

First and foremost is that Kerberos has been researched and deployed for a number of years. When it comes to system security there is nothing like time using and testing an authentication protocol. Second is that it is becoming an IETF (Internet Engineering Task Force) standard. Open Standards are the foundation of the Internet. With standards comes integration by system vendors and application writers. Mac OS X 10.2 (Jaguar) has Kerberos authentication built-in by default. This means testing and support by Apple as well as an easier setup and configuration for administrators.

There are other means of authentication such as having your system directly authenticate against an Enterprise Directory using LDAP over SSL, but if you watch security advisories you will see there are still exploits opened against directory authentication.

Deployment

Journal
Follow our progress, learn from our mistakes, laugh at our expense....

--Sept. 20, 2002 : I have to say that implementing Kerberos was really not very complicated. Kerberos for Macintosh works well. We have to do a few tweaks to get rid of the palette (using AppleScript on logout), but that's about it.

--Jul. 23, 2002 : Some info regarding our integration of MacAdmin with RevRdist. We put Cron in the Agents folder and assigned it to run on startup. We can run the Run RevRdist app as an Agent as well. One snag at the moment is that RevRdist hangs the machine if it runs during Screen Saver mode - we are inquiring with Hi-Res as to when they plan to fix this - so for the moment you must run RevRdist while logged on, meaning you must be logged on as a user with Protection Off. A workaround to this is, we set Cron to launch an AppleScript that writes a prefs file, which logs in as RevRdist, and then a startup script checks for the RevRdist user and runs RevRdist if logged in as such. It runs with protection enabled, but it doesn't completely run correctly (meaning it runs without crashing the machine, but doesn't update everything).

--Jul. 22, 2002 : I added more details and graphics about our customizations to this page: MacAdministrator Customization. -MK

--Jun. 11, 2002 : I added a page of details about our customizations of the MacAdministrator interface, and some of the configs we have set with the admin utility. Read all about it here: MacAdministrator Customization. -MK

--Apr. 19, 2002 : Up to this point I've been concentrating on testing MacAdministrator and Kerberos for Macintosh. Hi-Resolution have released new versions of the KerberosAuthenticator Plug-in (adding Kerberos for Macintosh support) and the client software (in MacAdministrator 2.5.2, apps that quit finder no longer crash the machine). So, now we have a basic framework that will allow us to secure Mac OS 9 and protect the local drive, authenticate with Kerberos, and also run the disk maintenance software that we use (RevRdist). -MK

Phases
All phases of the Student Computing Labs Authentication are now complete.

Union Lab: June 17, 2002
EMCB Lab: July 19, 2002
MMC Lab: August 9, 2002
Peterson Lab: August 30, 2002
Sage Point Lab: August 30, 2002

Mac OS 9

Configuration
We are currently using the Kerberos for Macintosh client. Here are a few simple instructions on our configuration of the client. This was kind of a PITA to figure out, the documentation wasn't very clear and simple...
  • Edit the Kerberos Library so that it will generate a correct Kerberos Preferences file. Do this using Resorceror or ResEdit. The Kerberos Library is located in System Folder:Application Support:Kerberos. I usually put a finished copy of this file in the Extensions folder as well. Anyway, edit the "pfdf" resource, ID 128. You can just copy and paste into the right column of the resource. Example configuration (v.5 only):
[domain_realm] .utah.edu = UTAH.EDU
utah.edu = UTAH.EDU

[libdefaults]
default_realm = UTAH.EDU
ticket_lifetime = 600
default_tkt_enctypes = des-cbc-crc
default_tgs_enctypes = des-cbc-crc

[realms]
UTAH.EDU = {
kdc = kdc1.kerberos.utah.edu:88
default_domain = utah.edu
}

  • Throw any Kerberos Preferences (either in Application Support or Preferences) in the trash.
  • Restart.
  • Open the Kerberos control panel and click on the Edit menu - "Edit Favorite Realms" - this will allow you to choose the UTAH.EDU realm so it will show up when you login.
  • Choose "Get Tickets" from the Kerberos Menu, control panel, etc...
  • If everything is configured correctly, you should see the realm UTAH.EDU available and it should have a yellow "v5" at the beginning. If it says v4/v5 it probably won't connect properly (mine kept giving me "password incorrect").

We also added multiple CNAMEs for redundancy, so for instance the realms section might say "kdc = kdc1-mmc.kerberos.utah.edu" for the MMC lab, or "kdc = kdc1-orl.kerberos.utah.edu" and "kdc = kdc2-orl.kerberos.utah.edu" for the Residence Halls labs (you can of course have multiple lines to list the kdc's).

Security
We chose MacAdministrator - it is the only package we tested with adequate results for securing Mac OS 9. Better still, their tech support was responsive and quite accomodating with a problem we had (getting RevRdist to run with MacAdministrator - previously, apps that quit the Finder would crash if MacAdministrator was installed; but the 2.5.2 version fixed this problem).

Mac OS X

Configuration
First, Apple has several documents in the AppleCare Knowledge Base on how to configure and use the built-in Kerberos client in Mac OS X 10.2.1 or later. If you are using a version of Mac OS X earlier than 10.2.1, then I recommend going to the MIT website talked about in the Introduction, or upgrade to the latest version of Mac OS X.

The Apple Support Documents are:

107153, 107154, and 107155

You will see from document 107154 that you need to edit the /etc/authorization file to setup the Kerberos client.

Environments

Mac, PC, & UNIX
Proposed topics:
  1. Apple NetInfo
  2. Microsoft Active Directory
  3. Novell Directory Services (NDS)
  4. OpenLDAP
  5. Sun ONE Directory Server

Client Applications

MIT Mac OS X 10.2 Kerberos Extras - Support for Kerberos-using applications such as Eudora and Fetch.

Server Apps

To be determined.

Links

Kerberos Reference Page, Carnegie Mellon
[http://www.contrib.andrew.cmu.edu/~shadow/kerberos.html]

Kerberos at Stanford
[http://consult.stanford.edu/afsinfo/kerberos.shtml] (link dead)

Macintosh Kerberos 5 Client
[http://archive.ncsa.uiuc.edu/SCD/Consulting/Security/Kerberos/mackrb5install.html] (link dead)

State of Macintosh Authentication, Everette Allen
[http://www.ncsu.edu/mac/sma/sma.html]

The Kerberos Network Authentication Service
[http://www.isi.edu/gost/info/kerberos/]

The Moron's Guide to Kerberos (An excellent read on Kerberos!)
[http://www.isi.edu/~brian/security/kerberos.html]

Kerberos FAQ, Navy.mil
[http://www.cmf.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html]

Designing an Authentication System: a Dialogue in Four Scenes, MIT
[http://web.mit.edu/kerberos/www/dialogue.html]

Kerberos: An Authentication Service for Open Network Systems (Postscript Document)
[ftp://athena-dist.mit.edu/pub/kerberos/doc/usenix.PS]

Kerberos: The Network Authentication Protocol, MIT
[http://www.mit.edu/afs/athena.mit.edu/astaff/project/kerberos/www/]

Kerberos for Windows (MinK)
[http://web.mit.edu/is/help/mink/] (link dead)

How to Kerberize your site, Oak Ridge National Laboratory
[http://www.ornl.gov/~jar/HowToKerb.html]

Kerberos task force presentation (PDF Document)
[http://www.ornl.gov/~jar/k5update.pdf]

Draft final report
[http://www.ornl.gov/~jar/CISreport.html]

AA&A Kerberos Powerpoint Presentation, U of Penn
[http://www.upenn.edu/computing/group/secure/2000/phase1/kerberos-talk/index.htm]

Authentication, Authorization and Accounting Projects at Penn
[http://www.upenn.edu/computing/group/aaa/index.html]

Installing and using Windows client side Kerberos V5
[http://www.upenn.edu/computing/group/secure/2000/phase1/kerberos/pckerberos.html]

IETF Kerberos Working Group
[http://www.ietf.org/html.charters/krb-wg-charter.html]

FreeBSD Handbook Kerberos documentation
[http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/kerberos.html] (link dead)

Google Web Directory - Kerberos
[http://directory.google.com/Top/Computers/Security/Authentication/Kerberos/?tc=1]