Providing Kerberos Authentication


One of Mac OS X Server's key features is the Open Directory SSO infrastructurea Kerberos-based set of services allowing authenticated users to securely access network resources, such as file and mail services, without having to reenter their passwords.

Adapting Kerberos

The following table shows the difficulties in implementing Kerberos and the Apple solution.

Difficulty

The Apple Answer

Complex server and client configuration

Automatic configuration

Directory-service integration

Complete directory-service integration

Lack of user-level account management

Server management tools' creation of user principals

Replica

Host and service registration

No support for legacy authentication protocols

Password Server's support of legacy protocols


Kerberos is designed from a model of mutual, initial distrust. This is well suited to today's network environment, and both Apple and Microsoft have chosen to incorporate Kerberos into their directory-service infrastructures. Before that, it was available for UNIX and Linux from MIT.

Integrating Kerberos into an existing infrastructure is not as well defined as some competing proprietary solutions are. In this sense, the open structure and flexible implementation of Kerberos has hindered widespread adoption. Apple built its Kerberos implementation to address these shortcomings with the following solutions:

  • Automatic configuration: Kerberos, with its UNIX heritage, is typically difficult to configure in both its client and server forms, requiring a high level of architectural knowledge and a high proficiency in editing text-based configuration files. To circumvent this requirement, Apple provides a directory-based configuration mechanism, with several tools that automatically create a key distribution center (KDC) and configure clients to access it.

  • Complete directory-service integration: Kerberos is an authentication mechanism, not a directory service. There's no standard way to determine which component of a user record should be assigned to that specific user's Kerberos principal name, much less to devise a solution for managing the finer points of integration. Apple has made some of those decisions and, among other things, has added a component to the user record in directory services that specifies how the user can be authenticated.

  • Server management tools' creation of user principals: Kerberos doesn't have a standard method of user management, and various implementations use different technologies to manage user principals. Apple has adopted MIT's kadmin protocol and integrated it with the standard user creation process of Mac OS X Server, so that all new users in an Open Directory shared domain get Kerberos principals. This is a tremendous leap forward in permitting users to take advantage of the SSO methodology.

  • Simplified host and service registration: Management of host and service principals can be especially difficult, given their distributed nature. For example, the encrypted service keys need to get to the kerberized services, which are generally hosted somewhere other than with the KDC. Apple has leveraged MIT's existing infrastructure and its built-in directory-based configuration architecture to provide a straightforward, graphical method for building SSO systems among several hosts again, making the process as seamless as possible.

  • Password Server's support of legacy protocols: Not every service is kerberized, and as nice as Kerberos is from a security perspective, it is not a be-all and end-all answer to authentication. The Kerberos standard itself does not specify any method for integration with legacy protocols. Later in this lesson, you will learn about the Apple Password Server, an open-standard system for supporting legacy authentication methods. Integrated with the KDC, it rounds out and adds depth to the Apple authentication options.

It is important to note that Apple has made a solid investment toward integrating Kerberos into the structure of Mac OS X and Mac OS X Server. While some tools that manage Kerberos are command-line tools, others, such as the Kerberos utility discussed in Lesson 6, "Kerberos Fundamentals," are placed out of the user's normal view (located in /System/Library/CoreServices). Administrators may want to move this utility to the/Applications/Utilities folder if a significant portion of users may be accessing this utility from time to time. From a management standpoint, most administrators do not want their users poking around the /System/Library/CoreServices folder.

Kerberos Authentication Process

The Kerberos authentication process normally consists of several well-defined transactions:


  1. When the client requests authentication, it sends a KRB_AS_REQ message to the KDC.

    This ticket-granting ticket (TGT) consists of the client's user name (so that the KDC knows which principal is attempting to authenticate), a timestamp, and the requested ticket lifetime.

    Note

    The TGT is really just a special kind of service, and so KRB_AS_REQ also includes the name of that service: krbtgt/pretendco.com@PRETENDCO.COM.


  1. The KDC then responds with a KRB_AS_REP message.

    This consists of the TGT in clear text and a shared session key encrypted with a hash of the user's password. The TGT does not need to be encrypted again, because its contents are already encrypted with a key known only to the KDC. To the client, it looks like random data, but it actually contains the KDC's copy of the session key, the client's principal name, the ticket lifetime, a timestamp, and, optionally, the client's IP address.

Both the TGT and the session key are stored in the client's credentials cache. The Mac OS X version of Kerberos has a RAM-based credentials cache, making it more difficult for malicious parties to gain access to sensitive data and ensuring that, should the machine quit unexpectedly or otherwise lose power, sensitive data will not be on the file system.

When the client wants to access a kerberized service, it must use the TGT and session key. These transactions are covered in Lesson 9, "Integrating With Kerberos."




Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net