Strong Auth Index Page | Presentation Outline

Introduction to Strong Authentication
at Fermilab

---

What is Strong Authentication?

Strong authentication is a system of verifying the identities of networked users, clients and servers without transmitting passwords over the network. It does not require that the network be protected. Both parties in a connection must demonstrate knowledge of some "secret" to establish their identities.

What is Kerberos?

The Kerberos Network Authentication Service V5, developed at MIT, is the network authentication program that Fermilab has chosen to implement strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

The "heart" of a Kerberos installation is the Key Distribution Center (KDC). All the computers associated with a KDC make up what's called a strengthened realm. At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV. For Windows 2000, you will use FERMI.WIN.FNAL.GOV.

The KDC's main functions include:

• Maintaining a database of users and services within its realm
• Authenticating users by way of exchanging tickets between clients and services in the strengthened realm

Password-derived information is stored in the central KDC, but not passwords themselves.

Why has Fermilab implemented Kerberos authentication?

There have been several computer security breaches at Fermilab and other DOE facilities. Our funding agencies are requiring Fermilab to demonstrate that it is implementing a computer security system that exercises tight control over who uses the lab's computers and network.

What advantages does Kerberos have over other possible solutions?

• Password-checking (authentication) happens in one place, and the end systems need not store any information which can be used to try to guess a password.
• Kerberos allows a single point of disabling an unauthorized or wayward user on all systems in the strengthened realm.
• Kerberos supports integration with AFS; when you authenticate to Kerberos, you also authenticate to AFS.
• Fermi Kerberos (for UNIX) is a locally-enhanced version of the MIT Kerberos software, which
  • supports access by users on unstrengthened machines via CRYPTOCards
  • supports cron

What other advantages will you see?

• You will have one id, known as your Kerberos principal name (actually two principals: name@FNAL.GOV and name@FERMI.WIN.FNAL.GOV).
• You will have one password for each realm, but we encourage you to make them the same and keep them synchronized.
• Once you are authenticated on a system, you can move from one strengthened machine to another without having to type your password again.
• And, most importantly, the computers are more secure from abuse by outsiders.

How does Kerberos work?

Here is a sample scenario for a Windows desktop user:

1. User logs into Windows desktop computer on which Kerberos-aware software has been installed. User requests authentication. Entry of Kerberos password is required.
2. Password is used to derive a key to encrypt the exchanges between local host and KDC, but is not transmitted between them.
3. Upon authentication, user gets "ticket" from KDC.
4. User can now connect over the network to other strengthened hosts without typing a password again. By forwarding tickets when logging into remote host, the user can do all of the following without typing a password:
   • connect from one remote strengthened host to another
   • obtain AFS tokens
   • ksu to other accounts as permitted

If local machine does not have Kerberos-aware software, user connects to remote strengthened host over the network using a CRYPTOCard to provide a non-reusable password for authentication.

Fermilab Strong Authentication Policy

As of the end of 2001, Kerberos V5 is implemented on virtually all the computers at Fermilab. Our working definition of computer , as regards strong authentication, is: "any machine to which you can log in, and on which you can run arbitrary code".

On-site Machines

Kerberos authentication is currently not required for:

• uses which involve only reading public information (e.g., via the web)
• anonymous FTP
• email
• non-destructively entering information into a web or database form, in most cases

All other network accesses to computers on the Fermilab site must be preceded by Kerberos V5 authentication if the access is comparable to login or FTP service.

Currently, Windows desktop systems (W2K, NT4, Win95/98) must run Kerberos-aware software to access Kerberized UNIX resources. If your W2K desktop is in the W2K domain, you must use your FERMI.WIN.FNAL.GOV Kerberos password at login. Otherwise, the Windows desktops themselves do not require Kerberos authentication as long as they don't support remote login over the network. The NT4 domain resources will not be Kerberized until they get migrated to the W2K domain. What's status of NT4 resource migration??

After users and resources migrate from the Windows NT domain to the Windows 2000 (W2K) domain, things change. We'll discuss this at end of talk.Fix after last chapter is fixed

Furthermore, an on-site system may not be configured to prompt for or accept a reusable login password over the network.

This is typically not an issue for Windows desktop machines.

Off-site Machines

Off-site computers participating in Fermilab's strengthened realm must enforce secure access mechanisms, but they are not required to use Kerberos V5. (Refer to manual section 2.2 Authentication Guidelines for On-site vs. Off-site Machines.)

DHCP works fine: If you get tickets under one address and then get a new address, you need to reobtain tickets.

NAT can be a problem (see http://www.fnal.gov/docs/strongauth/html/offsite.html#60786).

If your machine is in a different domain (not fnal.gov), you may have to tweak your configuration. Fermi Kerberos is built to look for domains in DNS.

Documentation and References

• Fermilab's Strong Authentication documentation is maintained at http://www.fnal.gov/docs/strongauth/. It includes a manual provided in HTML, PS, and PDF formats, plus links to extra information. Each chapter of the manual is also available individually in PDF format.
• Windows 2000 at Fermilab homepage at http://www-win2k.fnal.gov/
• Archives from kerberos-users@fnal.gov mailing list at http://listserv.fnal.gov/archives/kerberos-users.html
• Archives from wrq-users@fnal.gov mailing list at http://listserv.fnal.gov/archives/wrq-users.html
• Archives from w2k-users@fnal.gov mailing list at http://listserv.fnal.gov/archives/w2k-users.html
• Kerberos: The Network Authentication Protocol, Massachusetts Institute of Technology.http://web.mit.edu/kerberos/www/
• Kerberos V5 UNIX User's Guide, Release: 1.0, Document Edition: 1.0, Massachusetts Institute of Technology (frequently updated). http://www-dcd.fnal.gov/computersecurity/StrongAuth/UserDocs/user-guide_toc.html
• Kerberos Frequently Asked Questions (U.S. Naval Research Laboratory). http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
• Brian Tung, Kerberos, A Network Authentication System, Addison-Wesley, 1999.

Strong Auth Index Page | Presentation Outline