Kerberos in an ISP environment

Download Report

Transcript Kerberos in an ISP environment

Kerberos in an ISP environment UNIX/Win2K/Cisco > Nicolas FISCHBACH

Senior IP&Security Engineer - Professional Services Team [email protected] - http://www.securite.org/nico/

> Sébastien LACOSTE-SERIS

Security Officer - IP Research & Development Manager [email protected] - http://www.securite.org/kaneda/ version 1.2

Agenda

Kerberos

> Introduction : why did we choose Kerberos ?

> Protocol and Exchanges > Attacks 

Deployment

> UNIX > Cisco Routers and Switches > Win2K 

Q&A

© 2001 Sécurité.Org

What is Kerberos ?

 Kerberos is a network authentication protocol/system  Uses time synchronization to : > limit the use of the keys > help in detecting replay attacks  Mutual authentication  Uses DES, 3DES and shared keys  Trusted third party © 2001 Sécurité.Org

What is Kerberos not ?

 Kerberos does not provide authorization only authentication  Kerberos does not provide data encryption © 2001 Sécurité.Org

Why use Kerberos ?

 Secure authentication (cryptography)  No password transmission  Single Sign On > SSO is bad for security (Bruce Schneier)  Centralized authentication management  IETF Standard (RFC 1510) © 2001 Sécurité.Org

Kerberos vocabulary (1)

 KDC : Key Distribution Center. Holds a database of clients and servers (called principals) and their private keys  principal : three-tuple > user : login/group@REALM > service : service/host.fqdn@REALM  primary : username or service name  instance : “qualifies” the primary (role)  realm : authentication domain © 2001 Sécurité.Org

Kerberos vocabulary (2)

 keytab : file containing one or more keys (for hosts or services). Also known as SRVTAB (Cisco).

 client : an entity that can obtain a ticket (user or host)  service : host, ftp, krbtgt, pop, etc.

 ticket : credentials (identity of a client for a particular service)  TGT : ticket issued by the AS. Allows the client to obtain additional tickets for the same realm.

© 2001 Sécurité.Org

Key Distribution Center

 Responsible for maintaining master keys for all principles and issuing Kerberos tickets  Authentication Service (AS) gives the client a session key and a Ticket Granting Ticket (TGT)  Distributes service session keys and ticket for the service via a Ticket Granting Service (TGS) © 2001 Sécurité.Org

Realms

 A Realm is an authentication domain > one Kerberos database and a set of KDCs  Hierarchical organization (new in v5)  One or two way authentication  Cross-realm authentication > transitive cross-realm > direct between realms © 2001 Sécurité.Org

Kerberos Protocol (1)

 Kerberos Ticket

Domain Principal Name Ticket Flags Encryption Key Domain Principal Name Start Time End Time Host Address Authorization Data Encrypted

© 2001 Sécurité.Org

Kerberos Protocol (2)

 Kerberos Ticket Exchanges

Key Distribution Center

 Ports : kinit: kpasswd (Unix): kpasswd (Win): 88/udp 749/tdp 464/{tcp,udp}

Authentication Service Ticket Granting Service

t ic ke t

User Network Service

© 2001 Sécurité.Org

Kerberos Protocol (3)

 Getting a Ticket Granting Ticket (1+2) > (1) TGT Request > (2) TGT (to be decrypted with the user’s password hash)

Client TGT Request (1) KDC TGT (2)

© 2001 Sécurité.Org

Kerberos Protocol (4)

 Getting and using a Service Ticket (3+4+5) > (3) ST Request (with a TGT) > (4) ST and session key > (5) ST for authentication

KDC Client ST Request (3) ST and SK (4) ST (5) Server

© 2001 Sécurité.Org

NAT issues

 Host address is included in the tickets (recommended)  Need to add NATed IP address in the ticket  Patch for MIT Kerberos 5.1

 Create TGT without address (not recommended) : kinit -A © 2001 Sécurité.Org

Attacks against Kerberos (1)

 Vulnerability in Kerberos password authentication via KDC AS spoofing : keytab file and register principals for the service (http://www.monkey.org/~dugsong/kdcspoof.tar.gz)  Replay attacks : detected (C+S are time synchronized)  Exposed keys : keys have a limited lifetime but are multi-session keys  Temporary file vulnerability : run krb5-1.2.1+ © 2001 Sécurité.Org

Attacks against Kerberos (2)

 Passwords guessing : use a good passphrase  Trojaned clients : OTP  Implicit trust between realms  Ticket forwarding  Others : KDC, shared workstations, ...

© 2001 Sécurité.Org

*NIX clients

 RedHat (6.2 and 7) provides Kerberos V support > Install patch RHSA-2001:025-14  OpenBSD and Solaris 2.8 now support Kerberos V  Solaris < 2.8 only provides Kerberos IV © 2001 Sécurité.Org

Kerberos V on *NIX clients (1)

 Authentication managed by Kerberos API  Authorizations defined in user files : ~/.k5login - defines the principal(s) who can login into account that account ~/.k5users - defines commands that can be launched via ksu (sudo like)  PAM alternatives © 2001 Sécurité.Org

Kerberos V on *NIX clients (2)

 Kerberized Telnet : available  Kerberized SSH : > SSH.Com’s SSH 1.2.x and 2.x support Kerberos V > Kerberos V Patches available for OpenSSH : http://www.sxw.org.uk/computing/patches/ > OpenSSH 2.5.2 w/ Kerberos V on RedHat 7.1

© 2001 Sécurité.Org

Kerberos V on Cisco equipment (1)

 Cisco Routers > Kerberized Telnet > Password authentication using Kerberos (telnet, SSH and console) > Can map instance to Cisco privilege (locally defined)  Cisco Switches > Telnet only (SSH available as of 6.1 but w/o Kerberos support) © 2001 Sécurité.Org

Kerberos V on Cisco equipment (2)

 IOS & memory issues on routers : > Feature name : Kerberos V client support > Needed Feature set : at least Enterprise > Not supported on all hardware, for example : - Cisco 16xx router - Cisco GSR (12xxx - Gigabit Switch Router) > Memory requirements :

Hardware IOS RAM / Flash

26xx 12.0

32 / 8 72xx 12.1

12.0

12.1

48 / 16 64 / 16 64 / 16 Hint: always check with the Cisco IOS Feature Navigator © 2001 Sécurité.Org

Kerberos V on Cisco equipment (3)

 Router Configuration : aaa authentication login default krb5-telnet local aaa authorization exec default krb5-instance kerberos local-realm COLT.CH

kerberos srvtab entry host/ [email protected]

...

kerberos server COLT.CH 192.168.0.14

kerberos instance map engineering 15 kerberos instance map support 3 kerberos credentials forward line vty 0 4 ntp server 192.168.0.126

© 2001 Sécurité.Org

Kerberos V on Cisco equipment (4)

 CatOS & memory issues on switches : > At least Supervisor Engine Software Release 5.x

> Only supported on Catalyst 4000, 5000 and 6000/6500 > Only supported on SE I (not SE II) on Cat6K > Memory requirements :

Hardware CatOs

4000 5.2+ 6.1

6000 5.4+ 6.1

Memory

64 64 64 64 (SE1) Hint: always check the Release Notes © 2001 Sécurité.Org

Kerberos V on Cisco equipment (5)

 Switch Configuration :

#kerberos

set kerberos local-realm COLT.CH

set kerberos clients mandatory set kerberos credentials forward set kerberos server COLT.CH 192.168.0.82 88 set kerberos srvtab entry host/ [email protected]

...

#authentication

set authentication login kerberos enable telnet primary set authentication enable kerberos enable telnet primary

#ntp

set ntp client enable set ntp server 192.168.0.11

© 2001 Sécurité.Org

Kerberos V on Win2K stations (1)

 Provides Kerberos authentication for interactive logons  The protocol is a Security Provider under the SPPI (Security Support Provider Interface) and is linked to the LSA (Local Security Authority)  Ticket cache is provided by the LSA  Telnetd supports Kerberos © 2001 Sécurité.Org

Kerberos V on Win2K stations (2)

 Support Tools  Win2K station configuration : ksetup /setdomain COLT.CH

ksetup /addkdc COLT.CH kdc.colt.ch

ksetup /setmachpassword password ksetup /mapuser [email protected] localuser ksetup /mapuser * *  Windows Time Server (+ registry)  No kerberized SSH, only a few (broken) telnet clients © 2001 Sécurité.Org

That’s all folks :-)

 Latest version < http://www.securite.org/presentations/krb5/ >  Q&A Picture: http://www.inforamp.net/~dredge/funkycomputercrowd.html

© 2001 Sécurité.Org