AFS

1
AFS Kerberos Best Practices '08
Kerberizing a Commercial Application
2
AFS Kerberos Best Practices Workshop 2008
Overview
Design Goals Functions that require
authentication Solution Space Kerberos, GSSAPI or
SASL (Decide on your API!) Test
Environment Configuration options Kerberos vs.
GSSAPI Deployment issues
3
AFS Kerberos Best Practices Workshop 2008
Design Goals

• Try for a best practices implementation
• KDC compatibility (MIT/Heimdal/Windows/CyberSafe/
  others)
• Heterogeneous support (Linux, UNIX, Windows,
  OSX, Netware)
• Compatibility with the existing TiBS solution
• Customer ease of use
• Minimize support costs

4
AFS Kerberos Best Practices Workshop 2008
Functions that require authentication

• TiBS Server initiated operations
• The TiBS Server is the Kerberos client
• The TiBS Client is the Kerberos application
  server
• Backup, restore, and auditing programs
• Command line (as root) and cron jobs
• TiBS Client initiated oprerations
• The TiBS Client is the Kerberos client
• The TiBS Server is the Kerberos application
  server
• Backup (local and request modes)
• Command line (as root OR user) and cron jobs

5
AFS Kerberos Best Practices Workshop 2008
Solution Space (kerberos_at_mit.edu, lots of paths)

• How to build?
• Statically link against some library
• Dynamically link (dlopen) and ship libraries
• Use a shim to allow clients to build their own
  binaries
• What to build?
• Kerberos 5
• GSSAPI
• SASL
• Who to build?
• - MIT/Heimdal/OS Vendor/Commercial

6
AFS Kerberos Best Practices Workshop 2008
Decide on on your API! (Why choose Kerberos)

• You want to get initial credentials.
• You want to renew Kerberos tickets.
• You want to do user-to-user authentication.
• You are writing something for internal use and
  want to get away with a minimum amount of code.
• You want to guarantee a single round-trip
  authentication.
• You are using a datagram protocol.
• You want to make use of various Kerberos ticket
  fields.
• Youre not concerned about porting from Heimdal
  to MIT, or vice versa.

7
AFS Kerberos Best Practices Workshop 2008
Decide on on your API! (Why choose GSSAPI)

• You want API stability between MIT, Heimdal, or
  other Kerberos implementations.
• You want to make use of native Windows Kerberos
  services.
• You want to add GSSAPI mech support to an
  application that already implements SASL
  internally.
• You want to provide a path for supporting other
  security mechanisms in the future.

8
AFS Kerberos Best Practices Workshop 2008
Decide on on your API! (Why choose SASL)

• You want the ability to support a wide variety
  of security mechanisms, today.
• You need to interoperate with protocols that
  use SASL and you can guarantee that Cyrus-SASL
  will be available.
• You need the ability to negotiate the use of
  encryption.

9
AFS Kerberos Best Practices Workshop 2008
Test Environment

• MIT (1.6.3) and Hiemdal Libraries (1.1)
• Static, dynamic, dlopen (MIT does not support
  static libraries)
• Solaris Linux (primary backup servers)
• Kerberos and GSSAPI
• Clients can use Standard, Kerberos, or GSSAPI
  Authentication
• Servers accept any of these methods

10
AFS Kerberos Best Practices Workshop 2008
Configuration options
Alternate keytabs (KRB5_KTNAME environment
variable) 1. Regular users need authenticate with
a common principle Example tibs/backup_at_REALM 2.
You have services that do not run as
root TIBS_KEYTAB/usr/tibs/tibs.keytab If
(setenv("KRB5_KTNAME", keytab_string, 1))
warn Our application primarily runs as root, so
1 is possible
11
AFS Kerberos Best Practices Workshop 2008
Configuration options
Alternate service principles (defaulthost/hostna
me_at_REALM) 1. Regular users need authenticate with
a common principle KRB5_ACCEPT_PRINCtibs/backup_at_R
EALM 2. You have services that do not run as
root 3. Allow access to backup clients from
multiple servers (as root) KRB5_KEY_LOOKUPtibs/
backup_at_REALM If your service principles are not
in service/hostname_at_REALM format Kerberos
krb5_mk_req_extended() GSSAPI
gss_import_name() with GSS_C_NT_USER_NAME
12
AFS Kerberos Best Practices Workshop 2008
Configuration options

• Server Side Access Control Lists
• Regular users use their existing credentials
• Allow or deny services
• Example
• user_at_REALMhost1backup
• laptop1backup
• deny
• We will probably need to do this

13
AFS Kerberos Best Practices Workshop 2008
Kerberos vs. GSSAPI
Leaning towards deployment with GSSAPI Easy
implementation using example code from
Sun Windows SSPI May want use Solaris native
libraries
14
AFS Kerberos Best Practices Workshop 2008
Deployment issues
Static Linking - Works with no configuration
changes - Minimal changes to our installer -
Safe bet for keeping backups running Dynamic
Linking - Ship dynamic link libraries you
compile against - Manage LD_LIBRRAY_PATH -
Ongoing problems with deployment Linux
GLIBC_2.2.5 with Heimdal-1.1 LD_LIBRARY_PATH/u
sr/local/BerkeleyDB/v4/lib
15
AFS Kerberos Best Practices Workshop 2008
Deployment issues
Linux strongly considering static
linking Solaris still looking at the OS
libraries, otherwise probably static
linking Windows looking at SSPI OSX stay
tuned SHIM stay tuned
16
AFS Kerberos Best Practices '08
Kerberizing a Commercial Application