Strong Authentication and what it means for MINOS - PowerPoint PPT Presentation

1 / 22
About This Presentation
Title:

Strong Authentication and what it means for MINOS

Description:

Once intercepted, passwords can be re-used to gain unauthorized access to the ... access to a compromised system, hackers can fairly easily gain privileged root ... – PowerPoint PPT presentation

Number of Views:26
Avg rating:3.0/5.0
Slides: 23
Provided by: Buc89
Category:

less

Transcript and Presenter's Notes

Title: Strong Authentication and what it means for MINOS


1
Strong Authentication and what it means for MINOS
  • Liz Buckley-Geer
  • Fermilab

2
Outline
  • Introduction
  • Why are we doing this?
  • Are there benefits?
  • The authentication model
  • How does strong authentication work?
  • What does it mean for you?
  • Deployment at FNAL
  • Schedule for MINOS1
  • CVS repository
  • Linux machines
  • Windows machines
  • Macintoshes
  • Detector issues
  • Summary

3
Introduction
  • The information in these slides applies to access
    to the computers at FNAL and at the Soudan Mine
    because we have decided to operate the LAN at
    Soudan as part of the FNAL LAN - so everywhere I
    mention FNAL you should take it to include Soudan
    unless explicity stated otherwise
  • There is a web page that contains much of what I
    am about to say
  • http//www.fnal.gov/docs/strongauth/
  • Written copies of the manual are available from
    WH8E in the office of Yolanda Valadez (the person
    who issues computer accounts)

4
Why are we doing this?
  • I quote from the "Strong Authentication at
    Fermilab" user manual
  • "An analysis of the major computer security
    incidents at Fermilab over the past couple of
    years, as well as the general sense of security
    incidents prior to that, shows that a common root
    cause of these incidents is the compromise of
    user passwords by their transmission in clear
    text over the network. Once intercepted,
    passwords can be re-used to gain unauthorized
    access to the destination system. Further, with
    user access to a compromised system, hackers can
    fairly easily gain privileged root access. In
    order to protect against unauthorized access to
    Fermilab computers, the Computing Division is
    implementing the Kerberos Network Authentication
    Service V5 to provide what is known as strong
    authentication over the network."
  • For example, on CDF we had one incident that
    required us to disable all accounts on our
    machines and give everyone a new password. We
    were off the air for 36 hours. We do not want
    this to happen to MINOS.

5
Are there benefits?
  • Yes, there are advantages
  • One big advantage is that you have ONE login,
    known as your kerberos principal and ONE password
    that works for all FNAL machines
  • You still need accounts on machines to access
    them but there are no locally stored passwords
    anymore
  • Once you have a ticket you can move from one
    strengthened machine to another without needing
    to type you password again.
  • Oure computers WILL be more secure.
  • All password authentication happens in one place.
    This means that a users access to all systems
    can be disabled in one location should the need
    arise

6
The authentication model
  • Three realms
  • Strengthened realm
  • Consists of all systems that require strong
    authentication for access (both on-site and
    off-site). All programs such as telnet, rlogin,
    are replaced by strengthened versions. Only
    weak authentication that is allowed is via the
    console or locally attached display
  • The trusted realm
  • Other sites that implement strong authentication
    that is acceptable to FNAL. This is primarily
    aimed at other laboratories. For example, if RAL
    decided to implement its own strong
    authentication and FNAL was happy with it then
    RAL would become a trusted realm
  • The un-trusted realm
  • Those systems that do not require strong
    authentication and permit traditional methods of
    access. These systems typically expose clear-text
    passwords on the network. An example would be an
    X-terminal

7
The authentication model - contd
  • At FNAL, machines are configured to respond in
    portal mode when requests for access come from
    machines in the un-trusted realm
  • In portal mode the strengthened machine acts as a
    secure gateway into the strengthened realm,
    requiring a single-use password.
  • At FNAL these single-use passwords are
    implemented using a CRYPTOCard.
  • A CRYPTOCard is a calculator-style,battery
    powered token that must be initialized and
    synchronized with the KDC before use.

8
A CRYPTOCard
9
How does strong authentication work?
  • Kerberos operates by the exchange of tickets that
    allow access to all services by the user in the
    strengthened realm
  • Passwords are stored in the central Key
    Distribution Server (KDC).
  • User logs into kerberized computer at the console
    - may have to type kinit and give kerberos
    password if the login program on the machine is
    not the kerberized one.
  • User gets "ticket" from KDC.
  • Password is used as a key to encrypt the
    exchanges between host and KDC but is not
    transmitted between them.
  • You can now login to other strengthened hosts
    without typing a password again.

10
What does this mean for you?
  • All machines at FNAL will be kerberized by
    default. If you bring a machine to FNAL you will
    be required to kerberize it if you want to
    participate in the strengthened realm - this is
    highly recommended as it simplifies your access
    to other FNAL machines
  • If you are outside FNAL you have three choices
  • Install the kerberos client software on your
    machines are become part of the FNAL strengthened
    realm. This is the preferred method.
  • Practical considerations mean that offsite users
    will also be allowed to run ssh with passwords,
    public.provate keys, host-based keys or kerberos
    on their local machines. However, machines that
    are sited at FNAL will need to use kerberized
    ssh, non-kerberized ssh is not permitted on these
    machines.

11
What does this mean for you - contd?
  • Leave your machine unstrengthened and always
    login using your CRYPTOCard. Note that if you
    need to perform actions which required typing in
    your kerberos password then you MUST make sure
    that you an on an encrypted connection such as
    ssh. You MUST NEVER type your kerberos password
    while logged in to an X-terminal.
  • Your site may have its own version of strong
    authentication which may be acceptable to FNAL
    and then you can become a trusted realm.

12
Deployment at FNAL
  • The current plan requires that strong
    authentication be fully deployed on all systems
    by January 2002
  • Systems that cannot be strengthened must be not
    be directly accessible on the network - they must
    be reached through a gateway machine.
  • Everyone who needs to access FNAL and Soudan
    machines will need a kerberos principal and
    should also get a CRYPTOCard. There is a web form
    http//www.fnal.gov/cd/forms/strongauth.html
  • Your CRYPTOCard can be mailed to you so you dont
    need to come to FNAL

13
Schedule for MINOS1
  • The kerberos client software will be installed on
    MINOS1 at the beginning of July
  • We will operate in a dual mode of both kerberos
    and ssh until early September when the machine
    will become fully strengthened
  • Un-kerberized ftp will be disabled. In the
    interim period until we are fully strengthened we
    will provide anonymous ftp for people who still
    need to copy files - particularly from Windows
    machines.
  • FNAL NuMI/MINOS desktops will be kerberized
    during this period.
  • FNALU will be kerberized in October.

14
CVS Repository
  • We need to switch to using cvsh which a
    restricted shell that only allows cvs commands to
    be excuted
  • Use pserver to configure the read-only access
  • There are several possibilities for write access
  • Kerberos access
  • The minoscvs account contains the names of all
    people who have write access to the repository in
    the .k5login file
  • Users need to kinit to get credentials before
    accessing the repository
  • Then use kerberized rsh to access repository
  • Requires remote machine to be running kerberos
    client
  • SSH access
  • Configure non-kerberized ssh to only allow access
    to the cvsh login shell and only for the
    minoscvs account
  • Only requires ssh on remote machine

15
CVS Repository contd
  • I propose implementing the kerberos access as
    people will be kerberizing their machines anyway.
  • We will run in dual mode until September with
    both kerberized and ssh access
  • After September write access will be kerberos
    only
  • CDF is successfully working in this mode

16
Linux machines
  • The kerberos client software is available from
    FNAL as an rpm for RedHat Linux (FNAL supported
    version of Linux). This comes with the various
    FNAL configurations, added features etc. There is
    also a UPS/UPD install but not many MINOS
    institutions are running UPS/UPD as it is not
    used in the offline.
  • There is a very active and helpful mailing list
  • kerberos-users_at_fnal.gov
  • I will provide information about the necessary
    steps
  • If you are NOT using RedHat Linux then you have a
    couple of options
  • Get the package from MIT - this will be missing
    CRYPTOCard support plus some other useful
    features
  • Install the Fermi source from CVS - probably a
    better option as it gets the Fermi features
  • Note - You can probably get help from the mailing
    list if you get stuck but there is no official
    support for non-RedHat installs.

17
Windows machines (W2k,NT4,98,95)
  • In order to connect to Unix machines from your
    Windows machine you need a X-client that supports
    kerberos
  • The official CD supported product is WRQ
    Reflection which supports kerberos logins
  • You can also use Exceed 7 MIT kerberos but this
    is not an CD officially supported configuration -
    although FNAL PPD has decided to do this I
    believe.
  • The initial login to the Windows machine still
    uses the regular Windows login method. I
    understand that W2K uses kerberos to authenticate
    but in true Microsoft style they have made it
    incompatible with MIT kerberos!!

18
Macintoshes
  • These are no longer supported platforms at FNAL
  • The supported access method to UNIX systems from
    Macintoshes will be CRYPTOCards
  • There are clients available and they have been
    tested and there are instructions in the manual
  • This only applies to Mac users in the US and
    Canada - the MIT Kerberos software for the Mac is
    not freely available on http//www.crypto-publish.
    org/ because it contains code from non-open
    sources

19
Detector Issues
  • All the machines at Soudan that are visible on
    the general LAN must be kerberized
  • We will have a satellite KDC that will take over
    if the network between FNAL and Soudan is down -
    normally we will authenticate to the KDC at FNAL
  • Machines on the DAQ or DCS LANs that require
    login access but cannot run kerberos must be
    accessed through a gateway machine which will do
    the authentication and has 2 network interfaces.
  • It is probably a good idea for most of the
    DAQ/DCS machines to be hidden from the outside
    world and accessed through a gateway(s) for
    security

20
Detector Issues contd
  • I assume that the DCS Windows machines do not
    need login access to Unix machines so that they
    do not need WRQ Reflection - someone should tell
    me if that is not the case
  • I am not sure how the access to the DCS machines
    should be set up. How does the IFIX product work,
    how do you identify yourself to the system etc.
    Perhaps we can clarify some of these issues at
    this meeting.
  • It is easiest to put this stuff into place as the
    machines are installed in the hall - and must be
    done by January 2002 anyway.

21
Summary
  • Strong authentication is coming soon to a
    computer near you
  • OR
  • As my colleagues in the FNAL Computing Division
    prefer to say .

22
Summary
  • You will be assimilated - resistance is futile
Write a Comment
User Comments (0)
About PowerShow.com