A few questions about implementing a KDC for OpenAFS

classic Classic list List threaded Threaded
11 messages Options
Reply | Threaded
Open this post in threaded view
|

A few questions about implementing a KDC for OpenAFS

Madhusudan Singh
Hi

 I am going through the Heimdal html guide, and have a few
questions for the KDC I intend to implement for our group's OpenAFS
server(s) :

1. Which is the better choice from the point of view of a Kerberos
authentication mechanism that fully integrates with OpenAFS (I will be
using Debian Sarge) - MIT or Heimdal ?

2. The group I administer servers for is a part of a much larger
organization which has its own realm and AFS setup. However, I want only a
subset of that organization (viz. my own group) to be authenticated for
access to our fileservers (which have FQDNs and are visible on the
Internet, running Slackware 10.1). Is it possible for me to get away
without implementing a KDC at all and just pass on the authentication
requests to the organization's KDC after ensuring that they belong to a
restricted subset of the users at my end ?

3. Let us assume that the answer to 2 above is no. In that case, is it
possible for me to hide the KDC completely from the Internet ( with class C
addresses) ? Let us assume the following topology :

Fileserver (with a lot of hard disk space with two network interfaces - with
network addresses - FQDN address and a class C address, say 192.168.0.1)
-------- KDC server (a small amount of hard disk space with IP
192.168.0.2).

All the clients (windows XP Professional, Linux, and Mac OSX) would have
dynamic IP addresses in the range that is outside of the class C network
(obtained from a DHCP server in the larger organization I refered to in 2
above).

I guess I am asking if it is possible for the fileservers to "forward"
authentication requests in some fashion to a KDC that the clients know (and
can know) nothing about.

Or should the KDC be the machine that is visible on the Internet and the
fileservers have the class C addresses ?

Please bear with me - this is first time I am trying to set up a KDC and am
also totally new to kerberos administration. Any pointers to relevant
documentation would be greatly welcome.

MS

Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Johan Danielsson
Madhusudan Singh <[hidden email]> writes:

> 1. Which is the better choice from the point of view of a Kerberos
> authentication mechanism that fully integrates with OpenAFS (I will
> be using Debian Sarge) - MIT or Heimdal ?

I don't know, and my answer would biased in any case :-)

> Is it possible for me to get away without implementing a KDC at all
> and just pass on the authentication requests to the organization's
> KDC after ensuring that they belong to a restricted subset of the
> users at my end ?

Sort of, you can have more than one AFS cell in one Kerberos realm.
You create a separate key for your cell, calling it afs/<yourcell>,
while the other cell is just afs or afs/<othercell>. You may still
need to convince the fileservers about the difference in cellname vs
realm name (in .../etc/openafs/server/krb.conf).

File access is based on what you have in your pts database along with
acl:s on each directory. The namespace will obviously be shared with
the other cell. Of course, anyone with access to the KDC:s will have
potential access to your cell - you have to decide if that's a problem
to you.

> I guess I am asking if it is possible for the fileservers to
> "forward" authentication requests in some fashion to a KDC that the
> clients know (and can know) nothing about.

Not out of the box. I recall that there was a forwarder for the
kaserver, but I'm not aware of one for Kerberos 5.

> Or should the KDC be the machine that is visible on the Internet and
> the fileservers have the class C addresses ?

By "class C" I assume you really mean private addresses. Well you'd
have to access the fileservers from somewhere, and those machines will
have to have a route to the servers. If you have a router you can
either use some kind of port filtering on the outside connection, or
add private routes only visible to the inside. There are probably more
options.

If what you really want is a filesystem that isn't visible at all,
except from a subset of machines (and users), you probably want to put
those machines on a separate subnet along with the servers. If it's
really secret stuff your working on, I recommend encrypting the data
before putting it in AFS (or anyother filesystem for that matter). The
client can encrypt data transfers, but the security provided is not
exactly top of the line.

/Johan
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Harald Barth
In reply to this post by Madhusudan Singh

> 1. Which is the better choice from the point of view of a Kerberos
> authentication mechanism that fully integrates with OpenAFS (I will be
> using Debian Sarge) - MIT or Heimdal ?

I don't know how good or bad the stuff in the packages is. My impression
is that heimdal has some convinient functions - one that I remember is
that it lets you generate AFS-keyfiles.

> 2. The group I administer servers for is a part of a much larger
> organization which has its own realm and AFS setup. However, I want only a
> subset of that organization (viz. my own group) to be authenticated for
> access to our fileservers (which have FQDNs and are visible on the
> Internet, running Slackware 10.1). Is it possible for me to get away
> without implementing a KDC at all and just pass on the authentication
> requests to the organization's KDC after ensuring that they belong to a
> restricted subset of the users at my end ?

You can use their KDC and use your own AFS cell in their realm.

> 3. Let us assume that the answer to 2 above is no. In that case, is it
> possible for me to hide the KDC completely from the Internet ( with class C
> addresses) ?

Why? The KDC is one of the more safe applications.

>  Let us assume the following topology :
> (...)

I think you make things unneccessary complicated. If you trust your
head organization not to break in willingly (because the AFS master
key is of course in the KDC), you can set up your own AFS cell with
your users only. Or you can use your own KDC, exchange trust with
the other KDC and then let your users decide whom to trust (for
example their alter ego in the other realm).

I do not understand what you want to win by using a black net.

Harald.
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Henry B. Hotz
In reply to this post by Johan Danielsson
On May 26, 2005, at 1:13 AM, Johan Danielsson wrote:

> Madhusudan Singh <[hidden email]> writes:
>
>> 1. Which is the better choice from the point of view of a Kerberos
>> authentication mechanism that fully integrates with OpenAFS (I will
>> be using Debian Sarge) - MIT or Heimdal ?
>
> I don't know, and my answer would biased in any case :-)

If AFS is your priority then use Heimdal.  If you care about "hard"  
security features like replay caching and password history then use  
MIT.  (Yeah that's way oversimplified.)

>> Is it possible for me to get away without implementing a KDC at all
>> and just pass on the authentication requests to the organization's
>> KDC after ensuring that they belong to a restricted subset of the
>> users at my end ?
>
> Sort of, you can have more than one AFS cell in one Kerberos realm.
> You create a separate key for your cell, calling it afs/<yourcell>,
> while the other cell is just afs or afs/<othercell>. You may still
> need to convince the fileservers about the difference in cellname vs
> realm name (in .../etc/openafs/server/krb.conf).
>
> File access is based on what you have in your pts database along with
> acl:s on each directory. The namespace will obviously be shared with
> the other cell. Of course, anyone with access to the KDC:s will have
> potential access to your cell - you have to decide if that's a problem
> to you.
>
>> I guess I am asking if it is possible for the fileservers to
>> "forward" authentication requests in some fashion to a KDC that the
>> clients know (and can know) nothing about.
>
> Not out of the box. I recall that there was a forwarder for the
> kaserver, but I'm not aware of one for Kerberos 5.

Heimdal:  run the KDC's on your afs db servers.
MIT: run the kaforwarder daemon on the afs db servers.

If you go with MIT make sure you check out the afs-krb5 migration kit!  
Much of its functionality has been absorbed into the MIT distribution  
but you still need its kaforwarder and the afs keyfile utility as a  
minimum.

>> Or should the KDC be the machine that is visible on the Internet and
>> the fileservers have the class C addresses ?

The kdc isn't what you need to hide (unless you're doing something  
unreasonable).

AFS data traffic is not encrypted.  If you're worried about someone  
eavesdropping on an AFS connection then you should look at putting AFS  
on a "black" network along with your clients.

If you want AFS data encrypted (properly, with the best Kerberos 5 has  
to offer) then you need what we (at JPL) have been calling OpenAFS 2.1.  
  2.0 finishes the migration to Kerberos 5 for authentication, and 2.1  
adds the data encryption.  Jeffrey Altman and Love are working on it  
and some version of it should be out this summer.  (And yes, JPL is  
underwriting part of the work.  Jeffrey didn't need to be as coy as he  
was when the subject came up on the OpenAFS list.)
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Johan Danielsson
"Henry B. Hotz" <[hidden email]> writes:

> Heimdal:  run the KDC's on your afs db servers.
> MIT: run the kaforwarder daemon on the afs db servers.

But only if you really need ka. What's the status on windows clients
this week?

/Johan
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Love Hörnquist Åstrand

Johan Danielsson <[hidden email]> writes:

> "Henry B. Hotz" <[hidden email]> writes:
>
>> Heimdal:  run the KDC's on your afs db servers.
>> MIT: run the kaforwarder daemon on the afs db servers.
>
> But only if you really need ka. What's the status on windows clients
> this week?

I think they use MIT's Kerberos for Windows nowadays.

Love


attachment0 (487 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Johan Danielsson
Love Hörnquist Åstrand <[hidden email]> writes:

> I think they use MIT's Kerberos for Windows nowadays.

So then nothing really needs the kaserver interface anymore?

/Johan
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Ken Hornstein
In reply to this post by Henry B. Hotz
>>> 1. Which is the better choice from the point of view of a Kerberos
>>> authentication mechanism that fully integrates with OpenAFS (I will
>>> be using Debian Sarge) - MIT or Heimdal ?
>>
>> I don't know, and my answer would biased in any case :-)
>
>If AFS is your priority then use Heimdal.  If you care about "hard"  
>security features like replay caching and password history then use  
>MIT.  (Yeah that's way oversimplified.)

You can have your cake and eat it too, if you really want to.  E.g., you
could use Heimdal on your KDC (where it has much better AFS integration)
but you could use MIT on your application servers (where it actually does
replay caching).

--Ken
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Henry B. Hotz
In reply to this post by Johan Danielsson

On May 27, 2005, at 1:46 AM, Johan Danielsson wrote:

> "Henry B. Hotz" <[hidden email]> writes:
>
>> Heimdal:  run the KDC's on your afs db servers.
>> MIT: run the kaforwarder daemon on the afs db servers.
>
> But only if you really need ka. What's the status on windows clients
> this week?

I don't believe Jeffrey has removed any options, so it all depends on  
configuration.  His recommendation (to us anyway) is that OAFSW and KFW  
be configured so the former gets tokens from the latter.  This will do  
local 5->4 transaltion.  Server based 5->4 is possible with OAFSW.  
OAFSW can still talk K4 if asked.

I don't know if Jeffrey added in the legacy ka code as part of the new  
rxgk stuff.
------------------------------------------------------------------------
----
The opinions expressed in this message are mine,
not those of Caltech, JPL, NASA, or the US Government.
[hidden email], or [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Madhusudan Singh
In reply to this post by Harald Barth
Thanks for your response.

On Thursday 26 May 2005 04:34, Harald Barth wrote:
> > 1. Which is the better choice from the point of view of a Kerberos
> > authentication mechanism that fully integrates with OpenAFS (I will be
> > using Debian Sarge) - MIT or Heimdal ?
>
> I don't know how good or bad the stuff in the packages is. My impression
> is that heimdal has some convinient functions - one that I remember is
> that it lets you generate AFS-keyfiles.
>

Ok. Having precompiled packages is not a must for me. I can compile stuff.


> > 2. The group I administer servers for is a part of a much larger
> > organization which has its own realm and AFS setup. However, I want only
> > a subset of that organization (viz. my own group) to be authenticated for
> > access to our fileservers (which have FQDNs and are visible on the
> > Internet, running Slackware 10.1). Is it possible for me to get away
> > without implementing a KDC at all and just pass on the authentication
> > requests to the organization's KDC after ensuring that they belong to a
> > restricted subset of the users at my end ?
>
> You can use their KDC and use your own AFS cell in their realm.
>
> > 3. Let us assume that the answer to 2 above is no. In that case, is it
> > possible for me to hide the KDC completely from the Internet ( with class
> > C addresses) ?
>
> Why? The KDC is one of the more safe applications.

This is a little confusing. I posed a question on the postfix users list and
inquired if it would be possible to use GSSAPI to authenticate against the
KDC for my local subrealm. They suggested that exposing the KDC to the
internet with a FQDN is never a good idea.

So, that leaves a class C address behind a proper firewall, doesn't it ?

>
> >  Let us assume the following topology :
> > (...)
>
> I think you make things unneccessary complicated. If you trust your
> head organization not to break in willingly (because the AFS master
> key is of course in the KDC), you can set up your own AFS cell with
> your users only. Or you can use your own KDC, exchange trust with
> the other KDC and then let your users decide whom to trust (for
> example their alter ego in the other realm).

Maybe I did not explain this thoroughly. I intend to have a subrealm (say
kdchost.domain.edu where domain.edu already has its own AFS realm -
kdcsuper.domain.edu.

>
> I do not understand what you want to win by using a black net.

Some security. Maybe I am now more confused (hopefully better informed) than
before !
Reply | Threaded
Open this post in threaded view
|

Re: A few questions about implementing a KDC for OpenAFS

Love Hörnquist Åstrand
In reply to this post by Johan Danielsson

Johan Danielsson <[hidden email]> writes:

> Love Hörnquist Åstrand <[hidden email]> writes:
>
>> I think they use MIT's Kerberos for Windows nowadays.
>
> So then nothing really needs the kaserver interface anymore?

Except people that still want to have a migration path from kaserver
environment to Heimdal, no. But those seem to still exists.

Love


attachment0 (487 bytes) Download Attachment