kerberos5.html

FreeBSD安装说明概述 FreeBSD 提供了一个以文字为主

class="ACRONYM">KDC</acronym> error.</p>
</li>

<li>
<p>With <acronym class="ACRONYM">MIT</acronym> <b class="APPLICATION">Kerberos</b>, if
you want to allow a principal to have a ticket life longer than the default ten hours,
you must use <tt class="COMMAND">modify_principal</tt> in <tt class="COMMAND">kadmin</tt>
to change the maxlife of both the principal in question and the <tt
class="USERNAME">krbtgt</tt> principal. Then the principal can use the <var
class="LITERAL">-l</var> option with <tt class="COMMAND">kinit</tt> to request a ticket
with a longer lifetime.</p>
</li>

<li>
<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> If you run a packet sniffer on your <acronym
class="ACRONYM">KDC</acronym> to add in troubleshooting and then run <tt
class="COMMAND">kinit</tt> from a workstation, you will notice that your <acronym
class="ACRONYM">TGT</acronym> is sent immediately upon running <tt
class="COMMAND">kinit</tt> -- even before you type your password! The explanation is that
the <b class="APPLICATION">Kerberos</b> server freely transmits a <acronym
class="ACRONYM">TGT</acronym> (Ticket Granting Ticket) to any unauthorized request;
however, every <acronym class="ACRONYM">TGT</acronym> is encrypted in a key derived from
the user's password. Therefore, when a user types their password it is not being sent to
the <acronym class="ACRONYM">KDC</acronym>, it is being used to decrypt the <acronym
class="ACRONYM">TGT</acronym> that <tt class="COMMAND">kinit</tt> already obtained. If
the decryption process results in a valid ticket with a valid time stamp, the user has
valid <b class="APPLICATION">Kerberos</b> credentials. These credentials include a
session key for establishing secure communications with the <b
class="APPLICATION">Kerberos</b> server in the future, as well as the actual
ticket-granting ticket, which is actually encrypted with the <b
class="APPLICATION">Kerberos</b> server's own key. This second layer of encryption is
unknown to the user, but it is what allows the <b class="APPLICATION">Kerberos</b> server
to verify the authenticity of each <acronym class="ACRONYM">TGT</acronym>.</p>
</blockquote>
</div>
</li>

<li>
<p>You have to keep the time in sync between all the computers in your realm. <acronym
class="ACRONYM">NTP</acronym> is perfect for this. For more information on <acronym
class="ACRONYM">NTP</acronym>, see <a href="network-ntp.html">Section 19.12</a>.</p>
</li>

<li>
<p>If you want to use long ticket lifetimes (a week, for example) and you are using <b
class="APPLICATION">OpenSSH</b> to connect to the machine where your ticket is stored,
make sure that <b class="APPLICATION">Kerberos</b> <var
class="OPTION">TicketCleanup</var> is set to <var class="LITERAL">no</var> in your <tt
class="FILENAME">sshd_config</tt> or else your tickets will be deleted when you log
out.</p>
</li>

<li>
<p>Remember that host principals can have a longer ticket lifetime as well. If your user
principal has a lifetime of a week but the host you are connecting to has a lifetime of
nine hours, you will have an expired host principal in your cache and the ticket cache
will not work as expected.</p>
</li>

<li>
<p>When setting up a <tt class="FILENAME">krb5.dict</tt> file to prevent specific bad
passwords from being used (the manual page for <tt class="COMMAND">kadmind</tt> covers
this briefly), remember that it only applies to principals that have a password policy
assigned to them. The <tt class="FILENAME">krb5.dict</tt> files format is simple: one
string per line. Creating a symbolic link to <tt
class="FILENAME">/usr/share/dict/words</tt> might be useful.</p>
</li>
</ul>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11922" name="AEN11922">10.7.7. Differences with the <acronym
class="ACRONYM">MIT</acronym> port</a></h2>

<p>The major difference between the <acronym class="ACRONYM">MIT</acronym> and Heimdal
installs relates to the <tt class="COMMAND">kadmin</tt> program which has a different
(but equivalent) set of commands and uses a different protocol. This has a large
implications if your <acronym class="ACRONYM">KDC</acronym> is <acronym
class="ACRONYM">MIT</acronym> as you will not be able to use the Heimdal <tt
class="COMMAND">kadmin</tt> program to administer your <acronym
class="ACRONYM">KDC</acronym> remotely (or vice versa, for that matter).</p>

<p>The client applications may also take slightly different command line options to
accomplish the same tasks. Following the instructions on the <acronym
class="ACRONYM">MIT</acronym> <b class="APPLICATION">Kerberos</b> web site (<a
href="http://web.mit.edu/Kerberos/www/"
target="_top">http://web.mit.edu/Kerberos/www/</a>) is recommended. Be careful of path
issues: the <acronym class="ACRONYM">MIT</acronym> port installs into <tt
class="FILENAME">/usr/local/</tt> by default, and the ``normal'' system applications may
be run instead of <acronym class="ACRONYM">MIT</acronym> if your <tt
class="ENVAR">PATH</tt> environment variable lists the system directories first.</p>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> With the <acronym class="ACRONYM">MIT</acronym> <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/krb5/pkg-descr"><tt
class="FILENAME">security/krb5</tt></a> port that is provided by FreeBSD, be sure to read
the <tt class="FILENAME">/usr/local/share/doc/krb5/README.FreeBSD</tt> file installed by
the port if you want to understand why logins via <tt class="COMMAND">telnetd</tt> and
<tt class="COMMAND">klogind</tt> behave somewhat oddly. Most importantly, correcting the
``incorrect permissions on cache file'' behavior requires that the <tt
class="COMMAND">login.krb5</tt> binary be used for authentication so that it can properly
change ownership for the forwarded credentials.</p>
</blockquote>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11950" name="AEN11950">10.7.8. Mitigating limitations found
in <b class="APPLICATION">Kerberos</b></a></h2>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN11956" name="AEN11956">10.7.8.1. <b
class="APPLICATION">Kerberos</b> is an all-or-nothing approach</a></h3>

<p>Every service enabled on the network must be modified to work with <b
class="APPLICATION">Kerberos</b> (or be otherwise secured against network attacks) or
else the users credentials could be stolen and re-used. An example of this would be <b
class="APPLICATION">Kerberos</b> enabling all remote shells (via <tt
class="COMMAND">rsh</tt> and <tt class="COMMAND">telnet</tt>, for example) but not
converting the <acronym class="ACRONYM">POP3</acronym> mail server which sends passwords
in plaintext.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN11965" name="AEN11965">10.7.8.2. <b
class="APPLICATION">Kerberos</b> is intended for single-user workstations</a></h3>

<p>In a multi-user environment, <b class="APPLICATION">Kerberos</b> is less secure. This
is because it stores the tickets in the <tt class="FILENAME">/tmp</tt> directory, which
is readable by all users. If a user is sharing a computer with several other people
simultaneously (i.e. multi-user), it is possible that the user's tickets can be stolen
(copied) by another user.</p>

<p>This can be overcome with the <var class="LITERAL">-c</var> filename command-line
option or (preferably) the <tt class="ENVAR">KRB5CCNAME</tt> environment variable, but
this is rarely done. In principal, storing the ticket in the users home directory and
using simple file permissions can mitigate this problem.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN11974" name="AEN11974">10.7.8.3. The KDC is a single point of
failure</a></h3>

<p>By design, the <acronym class="ACRONYM">KDC</acronym> must be as secure as the master
password database is contained on it. The <acronym class="ACRONYM">KDC</acronym> should
have absolutely no other services running on it and should be physically secured. The
danger is high because <b class="APPLICATION">Kerberos</b> stores all passwords encrypted
with the same key (the ``master'' key), which in turn is stored as a file on the <acronym
class="ACRONYM">KDC</acronym>.</p>

<p>As a side note, a compromised master key is not quite as bad as one might normally
fear. The master key is only used to encrypt the <b class="APPLICATION">Kerberos</b>
database and as a seed for the random number generator. As long as access to your
<acronym class="ACRONYM">KDC</acronym> is secure, an attacker cannot do much with the
master key.</p>

<p>Additionally, if the <acronym class="ACRONYM">KDC</acronym> is unavailable (perhaps
due to a denial of service attack or network problems) the network services are unusable
as authentication can not be performed, a recipe for a denial-of-service attack. This can
alleviated with multiple <acronym class="ACRONYM">KDC</acronym>s (a single master and one
or more slaves) and with careful implementation of secondary or fall-back authentication
(<acronym class="ACRONYM">PAM</acronym> is excellent for this).</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN11989" name="AEN11989">10.7.8.4. <b
class="APPLICATION">Kerberos</b> Shortcomings</a></h3>

<p><b class="APPLICATION">Kerberos</b> allows users, hosts and services to authenticate
between themselves. It does not have a mechanism to authenticate the <acronym
class="ACRONYM">KDC</acronym> to the users, hosts or services. This means that a
trojanned <tt class="COMMAND">kinit</tt> (for example) could record all user names and
passwords. Something like <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/security/tripwire/pkg-descr"><tt
class="FILENAME">security/tripwire</tt></a> or other file system integrity checking tools
can alleviate this.</p>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN11997" name="AEN11997">10.7.9. Resources and further
information</a></h2>

<ul>
<li>
<p><a href="http://www.faqs.org/faqs/Kerberos-faq/general/preamble.html"
target="_top">The <b class="APPLICATION">Kerberos</b> FAQ</a></p>
</li>

<li>
<p><a href="http://web.mit.edu/Kerberos/www/dialogue.html" target="_top">Designing an
Authentication System: a Dialogue in Four Scenes</a></p>
</li>

<li>
<p><a href="http://www.ietf.org/rfc/rfc1510.txt?number=1510" target="_top">RFC 1510, The
<b class="APPLICATION">Kerberos</b> Network Authentication Service (V5)</a></p>
</li>

<li>
<p><a href="http://web.mit.edu/Kerberos/www/" target="_top"><acronym
class="ACRONYM">MIT</acronym> <b class="APPLICATION">Kerberos</b> home page</a></p>
</li>

<li>
<p><a href="http://www.pdc.kth.se/heimdal/" target="_top">Heimdal <b
class="APPLICATION">Kerberos</b> home page</a></p>
</li>
</ul>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="kerberosiv.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="firewalls.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">KerberosIV</td>
<td width="34%" align="center" valign="top"><a href="security.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top">Firewalls</td>
</tr>
</table>
</div>
</body>
</html>