Strong Authentication and what it means for MINOS

1
Strong Authentication and what it means for MINOS

• Liz Buckley-Geer
• Fermilab

2
Outline

• Introduction
• Why are we doing this?
• Are there benefits?
• The authentication model
• How does strong authentication work?
• What does it mean for you?
• Deployment at FNAL
• Schedule for MINOS1
• CVS repository
• Linux machines
• Windows machines
• Macintoshes
• Detector issues
• Summary

3
Introduction

• The information in these slides applies to access
  to the computers at FNAL and at the Soudan Mine
  because we have decided to operate the LAN at
  Soudan as part of the FNAL LAN - so everywhere I
  mention FNAL you should take it to include Soudan
  unless explicity stated otherwise
• There is a web page that contains much of what I
  am about to say
• http//www.fnal.gov/docs/strongauth/
• Written copies of the manual are available from
  WH8E in the office of Yolanda Valadez (the person
  who issues computer accounts)

4
Why are we doing this?

• I quote from the "Strong Authentication at
  Fermilab" user manual
• "An analysis of the major computer security
  incidents at Fermilab over the past couple of
  years, as well as the general sense of security
  incidents prior to that, shows that a common root
  cause of these incidents is the compromise of
  user passwords by their transmission in clear
  text over the network. Once intercepted,
  passwords can be re-used to gain unauthorized
  access to the destination system. Further, with
  user access to a compromised system, hackers can
  fairly easily gain privileged root access. In
  order to protect against unauthorized access to
  Fermilab computers, the Computing Division is
  implementing the Kerberos Network Authentication
  Service V5 to provide what is known as strong
  authentication over the network."
• For example, on CDF we had one incident that
  required us to disable all accounts on our
  machines and give everyone a new password. We
  were off the air for 36 hours. We do not want
  this to happen to MINOS.

5
Are there benefits?

• Yes, there are advantages
• One big advantage is that you have ONE login,
  known as your kerberos principal and ONE password
  that works for all FNAL machines
• You still need accounts on machines to access
  them but there are no locally stored passwords
  anymore
• Once you have a ticket you can move from one
  strengthened machine to another without needing
  to type you password again.
• Oure computers WILL be more secure.
• All password authentication happens in one place.
  This means that a users access to all systems
  can be disabled in one location should the need
  arise

6
The authentication model

• Three realms
• Strengthened realm
• Consists of all systems that require strong
  authentication for access (both on-site and
  off-site). All programs such as telnet, rlogin,
  are replaced by strengthened versions. Only
  weak authentication that is allowed is via the
  console or locally attached display
• The trusted realm
• Other sites that implement strong authentication
  that is acceptable to FNAL. This is primarily
  aimed at other laboratories. For example, if RAL
  decided to implement its own strong
  authentication and FNAL was happy with it then
  RAL would become a trusted realm
• The un-trusted realm
• Those systems that do not require strong
  authentication and permit traditional methods of
  access. These systems typically expose clear-text
  passwords on the network. An example would be an
  X-terminal

7
The authentication model - contd

• At FNAL, machines are configured to respond in
  portal mode when requests for access come from
  machines in the un-trusted realm
• In portal mode the strengthened machine acts as a
  secure gateway into the strengthened realm,
  requiring a single-use password.
• At FNAL these single-use passwords are
  implemented using a CRYPTOCard.
• A CRYPTOCard is a calculator-style,battery
  powered token that must be initialized and
  synchronized with the KDC before use.

8
A CRYPTOCard
9
How does strong authentication work?

• Kerberos operates by the exchange of tickets that
  allow access to all services by the user in the
  strengthened realm
• Passwords are stored in the central Key
  Distribution Server (KDC).
• User logs into kerberized computer at the console
  - may have to type kinit and give kerberos
  password if the login program on the machine is
  not the kerberized one.
• User gets "ticket" from KDC.
• Password is used as a key to encrypt the
  exchanges between host and KDC but is not
  transmitted between them.
• You can now login to other strengthened hosts
  without typing a password again.

10
What does this mean for you?

• All machines at FNAL will be kerberized by
  default. If you bring a machine to FNAL you will
  be required to kerberize it if you want to
  participate in the strengthened realm - this is
  highly recommended as it simplifies your access
  to other FNAL machines
• If you are outside FNAL you have three choices
• Install the kerberos client software on your
  machines are become part of the FNAL strengthened
  realm. This is the preferred method.
• Practical considerations mean that offsite users
  will also be allowed to run ssh with passwords,
  public.provate keys, host-based keys or kerberos
  on their local machines. However, machines that
  are sited at FNAL will need to use kerberized
  ssh, non-kerberized ssh is not permitted on these
  machines.

11
What does this mean for you - contd?

• Leave your machine unstrengthened and always
  login using your CRYPTOCard. Note that if you
  need to perform actions which required typing in
  your kerberos password then you MUST make sure
  that you an on an encrypted connection such as
  ssh. You MUST NEVER type your kerberos password
  while logged in to an X-terminal.
• Your site may have its own version of strong
  authentication which may be acceptable to FNAL
  and then you can become a trusted realm.

12
Deployment at FNAL

• The current plan requires that strong
  authentication be fully deployed on all systems
  by January 2002
• Systems that cannot be strengthened must be not
  be directly accessible on the network - they must
  be reached through a gateway machine.
• Everyone who needs to access FNAL and Soudan
  machines will need a kerberos principal and
  should also get a CRYPTOCard. There is a web form
  http//www.fnal.gov/cd/forms/strongauth.html
• Your CRYPTOCard can be mailed to you so you dont
  need to come to FNAL

13
Schedule for MINOS1

• The kerberos client software will be installed on
  MINOS1 at the beginning of July
• We will operate in a dual mode of both kerberos
  and ssh until early September when the machine
  will become fully strengthened
• Un-kerberized ftp will be disabled. In the
  interim period until we are fully strengthened we
  will provide anonymous ftp for people who still
  need to copy files - particularly from Windows
  machines.
• FNAL NuMI/MINOS desktops will be kerberized
  during this period.
• FNALU will be kerberized in October.

14
CVS Repository

• We need to switch to using cvsh which a
  restricted shell that only allows cvs commands to
  be excuted
• Use pserver to configure the read-only access
• There are several possibilities for write access
• Kerberos access
• The minoscvs account contains the names of all
  people who have write access to the repository in
  the .k5login file
• Users need to kinit to get credentials before
  accessing the repository
• Then use kerberized rsh to access repository
• Requires remote machine to be running kerberos
  client
• SSH access
• Configure non-kerberized ssh to only allow access
  to the cvsh login shell and only for the
  minoscvs account
• Only requires ssh on remote machine

15
CVS Repository contd

• I propose implementing the kerberos access as
  people will be kerberizing their machines anyway.
  
• We will run in dual mode until September with
  both kerberized and ssh access
• After September write access will be kerberos
  only
• CDF is successfully working in this mode

16
Linux machines

• The kerberos client software is available from
  FNAL as an rpm for RedHat Linux (FNAL supported
  version of Linux). This comes with the various
  FNAL configurations, added features etc. There is
  also a UPS/UPD install but not many MINOS
  institutions are running UPS/UPD as it is not
  used in the offline.
• There is a very active and helpful mailing list
• kerberos-users_at_fnal.gov
• I will provide information about the necessary
  steps
• If you are NOT using RedHat Linux then you have a
  couple of options
• Get the package from MIT - this will be missing
  CRYPTOCard support plus some other useful
  features
• Install the Fermi source from CVS - probably a
  better option as it gets the Fermi features
• Note - You can probably get help from the mailing
  list if you get stuck but there is no official
  support for non-RedHat installs.

17
Windows machines (W2k,NT4,98,95)

• In order to connect to Unix machines from your
  Windows machine you need a X-client that supports
  kerberos
• The official CD supported product is WRQ
  Reflection which supports kerberos logins
• You can also use Exceed 7 MIT kerberos but this
  is not an CD officially supported configuration -
  although FNAL PPD has decided to do this I
  believe.
• The initial login to the Windows machine still
  uses the regular Windows login method. I
  understand that W2K uses kerberos to authenticate
  but in true Microsoft style they have made it
  incompatible with MIT kerberos!!

18
Macintoshes

• These are no longer supported platforms at FNAL
• The supported access method to UNIX systems from
  Macintoshes will be CRYPTOCards
• There are clients available and they have been
  tested and there are instructions in the manual
• This only applies to Mac users in the US and
  Canada - the MIT Kerberos software for the Mac is
  not freely available on http//www.crypto-publish.
  org/ because it contains code from non-open
  sources

19
Detector Issues

• All the machines at Soudan that are visible on
  the general LAN must be kerberized
• We will have a satellite KDC that will take over
  if the network between FNAL and Soudan is down -
  normally we will authenticate to the KDC at FNAL
• Machines on the DAQ or DCS LANs that require
  login access but cannot run kerberos must be
  accessed through a gateway machine which will do
  the authentication and has 2 network interfaces.
• It is probably a good idea for most of the
  DAQ/DCS machines to be hidden from the outside
  world and accessed through a gateway(s) for
  security

20
Detector Issues contd

• I assume that the DCS Windows machines do not
  need login access to Unix machines so that they
  do not need WRQ Reflection - someone should tell
  me if that is not the case
• I am not sure how the access to the DCS machines
  should be set up. How does the IFIX product work,
  how do you identify yourself to the system etc.
  Perhaps we can clarify some of these issues at
  this meeting.
• It is easiest to put this stuff into place as the
  machines are installed in the hall - and must be
  done by January 2002 anyway.

21
Summary

• Strong authentication is coming soon to a
  computer near you
• OR
• As my colleagues in the FNAL Computing Division
  prefer to say .

22
Summary

• You will be assimilated - resistance is futile