kerberos and single sign on with http
play

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software - PowerPoint PPT Presentation

Mar 31, 2023 •210 likes •481 views

Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor

  1. Kerberos and Single Sign-On with HTTP Joe Orton Senior Software Engineer, Red Hat

  2. Overview • Introduction • The Problem • Current Solutions • Future Solutions • Conclusion

  3. Introduction • WebDAV: common complaint of poor support for authentication in HTTP • Kerberos is “The” network authentication protocol

  4. The Problem • How to integrate HTTP servers into a Kerberos infrastructure? • Single Sign-On: reducing the number of times people enter passwords • Ideal: user authentication exactly once per “session”; not per-server and/or per-service

  5. The Problem: Scope • Covering intranet/enterprise/organisation- wide HTTP authentication • Out of scope: SSO for “The Web” • In scope? Proxy authentication

  6. GSSAPI vs HTTP • GSSAPI: protocol-agnostic token-based API • Authentication, optional integrity and/or confidentiality – but not really optional • Confidentiality/integrity = transport layer • In HTTP, authentication is independent from the transport layer

  7. Current Solutions • Stanford WebAuth: forms and cookies • HTTP “Basic” authentication • HTTP “Negotiate” authentication

  8. Stanford WebAuth • Cookie-based authentication • Token-passing via browser redirects between web server and “WebKDC” • Kerberos credentials passed to WebKDC via HTML form • WebKDC passes token back to web server

  9. Stanford WebAuth • “Application layer” solution • Cookies + HTML != HTTP authentication • Requires SSL when passing credentials • Requires a real web browser: won't work with generic WebDAV clients • Requires a special server to be WebKDC

  10. Stanford WebAuth • Training users to enter Kerberos credentials into web forms is Very Bad ™ - phishing • Cannot authenticate to proxies • Session termination? Flush cookies • Session scope: within one web browser but then covers all servers

  11. Kerberos via Basic Auth • Use standard HTTP Basic authentication • Send Kerberos credentials as Basic auth credentials • Web server authenticates as user directly to KDC • Works with any generic HTTP client

  12. Kerberos via Basic Auth GET /secret/ HTTP/1.1 HTTP/1.1 401 Unauthorized WWW-Authenticate: Basic realm=”Blah” GET /secret/ HTTP/1.1 Authorization: Basic QWxuIHNlc2FZQ== HTTP/1.1 200 OK

  13. Kerberos via Basic Auth • Requires SSL when passing credentials • Training users to enter credentials into HTTP authentication dialogs is also Very Bad ™ • Can authenticate to proxies • Session scope: one web browser, one server • Session termination: flush cached credentials

  14. The “Negotiate” Scheme • New HTTP authentication scheme (kind of) • Written by Microsoft; I-D published 2001 • Became “Informational” RFC 4559 in 2006 • Uses GSSAPI with “SPNEGO” for NTLM • Implemented as HTTP client extension, custom server module

  15. Negotiate: Protocol trace 1. GET /secret/ HTTP/1.1 2. HTTP/1.1 401 Unauthorized WWW-Authenticate: Negotiate [token] 3. GET /secret/ HTTP/1.1 Authorization: Negotiate Y.....Q== [goto 2, or...] HTTP/1.1 200 OK

  16. The “Negotiate” scheme • Supported at HTTP client level; works with WebDAV etc • Implemented by Firefox, MSIE • Requires SSL to secure the connection • Could almost work with proxies

  17. The “Negotiate” Scheme • Even the name is bad • Per-connection authentication! • Breaks RFC2617 challenge grammar • Abuses RFC2617 headers

  18. mod_auth_kerb • Module for Apache httpd 1.3/2.x • Maintained by Daniel Kouril, BSDy license • Version 5.0 released August 2006, first non- beta release • Supports both Negotiate and Kerberos-over- Basic authentication

  19. mod_auth_kerb Configuration • Obtain a service key from the KDC • Name, for example: HTTP/www.example.com@EXAMPLE.COM • Service key in keytab – check permissions! • Load module and add access control configuration, either httpd.conf or .htaccess

  20. Access control Configuration <Location /private> AuthType Kerberos AuthName "Kerberos Login" KrbMethodNegotiate On KrbMethodK5Passwd Off ...

  21. Access control continued KrbAuthRealms EXAMPLE.COM Krb5KeyTab /etc/httpd/conf/keytab require valid-user SSLRequireSSL </Location>

  22. Client configuration • Firefox: • MSIE should work within “Intranet zone”

  23. Conclusion • Strong authentication as an HTTP authentication scheme alone is not enough • “Negotiate” is a practical if flawed solution for Kerberos Single Sign-On with HTTP • But MUST be used over SSL

  24. Future Solutions • RFC2712: TLS with Kerberos ciphersuites • Implemented in OpenSSL; no deployment • A “GSSAPI Transport Layer” for HTTP? • Implement via Upgrade: header (RFC2817)

  25. Resources • http://webauth.stanford.edu/ • http://modauthkerb.sourceforge.net/ • http://www.ietf.org/rfc/rfc4559.txt • http://www.ietf.org/rfc/rfc2712.txt • These slides: http://people.apache.org/~jorton/ac06us/

  26. Q&A Any questions?

Recommend

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The

Kerberos and Single Sign-On with HTTP Joe Orton Red Hat Overview Introduction The Problem Current Solutions Future Solutions Conclusion Introduction WebDAV: common complaint of poor support for authentication in

917 views • 34 slides
Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction

Taming the Beast Assess Kerberos-Protected Networks Emmanuel Bouillon Introduction Sophisticated network authentication system holy grail of sys &amp; net admins: secure single sign on Used by large organizations and academic

515 views • 38 slides
Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms

Single sign-on enabled OpenCms Architecture for Single sign-on implementation into OpenCms Pavel Slav ek, pavel.slavicek@qbizm.cz Brno, The Czech Republic, 2. 5. 2008 Content Single sign-on introduction (SSO) Introduction to

959 views • 24 slides
AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school

AFS and Kerberos 5 Ken Hornstein Naval Research Laboratory Kerberos Use in AFS, old school Kerberos implementation based on V4 protocol. Client-server transport uses RX. Raw Kerberos binary ticket placed in credential cache

251 views • 11 slides
Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES

Akademska in raziskovalna mrea Slovenije Connecting Web and Kerberos SSO Connecting Web and Kerberos SSO Rok Pape ARNES aaa-podpora@arnes.si Cork Institute of Technology Cork, Ireland, 19.5.2009 Kerberos Kerberos Akademska in

353 views • 16 slides
I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform

I know who you are, but you can't come in Authentication and single sign-on in the SAS platform Agenda Authentication Inbound authentication Outbound authentication Single Sign-on Definitions Stage Process Method Physical

781 views • 48 slides
Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application,

Integration of N-tiers application Using CAS Single Sign On system with a webmail application, Horde K.U.Leuven Association velpi@groupt.be http://shib.kuleuven.be Integration of N-tiers application http://associatie.kuleuven.be/

911 views • 58 slides
A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol

A Basic Introduction to Kerberos Ken Hornstein NRL Kerberos Introduction A network protocol developed at MIT as part of Project Athena. Is a shared-secret, trusted third party authentication system. Uses encryption to provide

280 views • 8 slides
Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61

Update on Kerberos Extensibility draft-yu-krb-wg-kerberos-extensions-02.txt Tom Yu IETF 61 Kerberos Extensibility Document Status Notational Conventions Future Plans 1 Document Status Updates from -00 Update I-D boilerplate

407 views • 7 slides
OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006

OTP Kerberos Kerberos Working Group IETF, Montreal July 2006 WORKING DRAFT: 30 June 2006 Background Proposal is to define extensions to Kerberos V5 (rfc4120) to support pre-authentication using an OTP Three main aims: Allow an OTP

180 views • 14 slides
Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure

Kerberos4 1 Kerberos V4 Slide 1 Kerberos network authentication using Needham-Schroeder insecure network: listen, modify secret key login session : from login to logout Version 5: more complex, not just TCP/IP, greater

98 views • 7 slides
Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many

Kerberos https://web.mit.edu/kerberos/ https://tools.ietf.org/html/rfc4120 slide 1 Many-to-Many Authentication ? Servers Users How do users prove their identities when requesting services from machines on the network? Nave solution:

359 views • 10 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding COMP4631 L16 1 Agenda Distributed system security Introduction to Kerberos V4 Kerberos Realms Authentication with Kerberos in Windows NT 5

751 views • 30 slides
Kerberos &amp; X.509 11

Kerberos &amp; X.509 11

Kerberos &amp; X.509 11 Network Security, Principles and Practice,2nd Ed. :

767 views • 51 slides
Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding

Kerberos Working Group Internationalization for Extensions Jeffrey Altman PAGE 1 Guiding Principles Use Unicode restricted as needed to provide interoperability and future extensibility A single set of string preparation rules for all

173 views • 14 slides
Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga

Single Sign- -On across On across Single Sign Web Services Web Services Ernest Artiaga Artiaga Ernest CERN - - OpenLab OpenLab Security Workshop Security Workshop April 2004 April 2004 CERN Outline Outline Motivation and

352 views • 23 slides
Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17

Kerberos for Distributed Systems Security Cunsheng Ding HKUST, Hong Kong, CHINA C. Ding - L17 1 Agenda Distributed system security Introduction to Kerberos Kerberos Version 4 Authentication Protocol Authentication with Kerberos

494 views • 28 slides
Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org +

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org +

Single Sign On SimpleSAMLphp CivicActions | SSO | Dan Gurin | tweeter@dgurin | Drupal.org + GitHub + LinkedIn = DANGUR Enterprise level user account costs Administration Setup Retire Support Password resets

669 views • 24 slides
Welcome to the Taylor Institution Library! SOLO: the library catalogue

Welcome to the Taylor Institution Library! SOLO: the library catalogue

Welcome to the Taylor Institution Library! SOLO: the library catalogue http://solo.bodleian.ox.ac.uk/ Key features Use your Single Sign On to sign in to SOLO in the top right-hand corner of the screen. This allows you to use all the functions

679 views • 35 slides
Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading

Network Security: Kerberos Guevara Noubir noubir@ccs.neu.edu Network Security Reading assignment: Chapters 13-14 G. Noubir, Network Security Kerberos Outline Kerberos V4 Kerberos V5 G. Noubir, Network Security Kerberos 2 What is

1.16k views • 9 slides
Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual

Centralized user management and Single Sign On for the WeNMR gateway through the WeNMR Virtual Research Community Marc van Dijk , Andrea Giachetti, Marco Verlato, Antonio Rosato, Alexandre Bonvin EGI Technical Forum 2012 zondag 16 september 12

413 views • 13 slides
Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final

Search for four-top-quark production in in the single-lepton and opposite-sign dilepton final states in in pp pp collisions at at = 13 13 TeV with the ATLAS detector MOHAMMED FARAJ UNIVERSITA DI UDINE/INFN TRIESTE -GRUPPO COLLEGATO

601 views • 23 slides
Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions

Questioning Kerberos Assumptions Sam Hartman IETF 63 Questioning Kerberos Assumptions Principal Names are not remapped in cross-realm The destination KDC is not involved in cross-realm Privacy of principal names 1 Why Remap

534 views • 19 slides
Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old

Single sign-on (SSO) Presentation Tiit Erm 106572 IVCMM Main points Introduction Old approach in multiple systems SSO Security Benefits Common SSO based configurations Examples of SSO usage Conclusion 15/12/11

379 views • 16 slides

More recommend