Strong Auth Index Page | Presentation Outline

Introduction to Strong Authentication
at Fermilab

---

What is Strong Authentication?

Strong authentication is a system of verifying the identities of networked users, clients and servers without transmitting passwords over the network. It does not require that the network be protected. Both parties in a connection must demonstrate knowledge of some "secret" to establish their identities.

What is Kerberos?

The Kerberos Network Authentication Service V5, developed at MIT, is the network authentication program that Fermilab has chosen to implement strong authentication. In addition to establishing identity (authentication), it supports encrypted network connections, thereby providing confidentiality.

The "heart" of a Kerberos installation is the Key Distribution Center (KDC). All the computers associated with a KDC make up what's called a strengthened realm. At Fermilab, the strengthened realm for UNIX machines is called FNAL.GOV.

The KDC's main functions include:

• Maintaining a database of users and services within its realm
• Authenticating users by way of exchanging tickets between clients and services in the strengthened realm

Password-derived information is stored in the central KDC, but not passwords themselves.

Why has Fermilab implemented Kerberos authentication?

There have been several computer security breaches at Fermilab and other DOE facilities. Our funding agencies are requiring Fermilab to demonstrate that it is implementing a computer security system that exercises tight control over who uses the lab's computers and network.

What advantages does Kerberos have over other possible solutions?

• Password-checking (authentication) happens in one place, and the end systems need not store any information which can be used to try to guess a password.
• Kerberos allows a single point of disabling an unauthorized or wayward user on all systems in the strengthened realm.
• Kerberos supports integration with AFS; when you authenticate to Kerberos, you also authenticate to AFS.
• Fermi Kerberos is a locally-enhanced version of the MIT Kerberos software, which
  • supports access by users on unstrengthened machines via CRYPTOCards
  • supports cron

What other advantages are there?

• You have one id, known as your Kerberos principal, and one password that can be used for any UNIX system at the lab.
• Once you are authenticated on a system, you can move from one strengthened machine to another without having to type your password again.
• And most importantly, with proper use, the computers are more secure from abuse by outsiders.

How does Kerberos work?

Here is a sample scenario:

1. User logs into Kerberized desktop computer, not over the network. User requests authentication either automatically at login or via kinit command after login. Entry of Kerberos password is required.
2. Password is used to derive a key to encrypt the exchanges between local host and KDC, but is not transmitted between them.
3. Upon authentication, user gets "ticket" from KDC.
4. User can now connect over the network to other strengthened hosts without typing a password again. By forwarding tickets when logging into remote host, the user can do all of the following without typing a password:
   • connect from one remote strengthened host to another
   • obtain AFS tokens
   • ksu to other accounts as permitted

If local machine is not Kerberized, user connects to remote strengthened host over the network using a CRYPTOCard to provide a non-reusable password for authentication.

Fermilab Strong Authentication Policy

As of the end of 2001, Kerberos V5 is implemented on virtually all the computers at Fermilab. Our working definition of computer , as regards strong authentication, is: "any machine to which you can log in, and on which you can run arbitrary code".

Kerberos authentication is currently not required for:

• uses which involve only reading public information (e.g., via the web)
• anonymous FTP
• email
• entering information into a web or database form, in most cases

All other network accesses to computers on the Fermilab site must be preceded by Kerberos V5 authentication if the access is comparable to shell or FTP service. Compliance can be achieved in different ways:

• Run Kerberos authentication (this means "install and run kerberos software on your machine")
• Remain unKerberized (i.e., don't install kerberos software), and remove incoming network services
• (This option not allowed for desktops) Remain unKerberized, but require users to gain access through a computer that either
  • requires Kerberos authentication, or
  • is isolated from the general network and physically accessible only to individuals carrying a valid Fermilab ID card.

Furthermore, an on-site system is NOT ALLOWED to be configured to prompt for or accept a reusable login password over the network.

Regarding network connections to remote Kerberized machines:

• Never type your password over the network, even if the connection is encrypted.
• If your local machine is Kerberized, always authenticate to Kerberos on your local machine. After you're authenticated you can start a remote login session.
• If your local machine is not Kerberized, use your CRYPTOCard to provide your remote login password. Once you are logged in by this method, you are also authenticated to Kerberos.

Off-site computers participating in Fermilab's strengthened realm must enforce secure access mechanisms, but they are not required to use Kerberos V5. (For information on off-site systems; refer to manual section 2.2 Authentication Guidelines for On-site vs. Off-site Machines.)

Notes

DHCP works fine: If you get tickets under one address and then get a new address, you need to reobtain tickets.

Network Address Translation (NAT) can be a problem (see http://www.fnal.gov/docs/strongauth/html/offsite.html#60786).

If your machine is in a different domain (not fnal.gov), you may have to tweak your configuration. Fermi Kerberos is built to look for domains in DNS.

Documentation and References

• Fermilab's Strong Authentication documentation is maintained at http://www.fnal.gov/docs/strongauth/. It includes a manual provided in HTML format, plus links to extra information. Each chapter of the manual is also available individually in PDF format.
• Archives from kerberos-users@fnal.gov mailing list at http://listserv.fnal.gov/archives/kerberos-users.html
• Kerberos: The Network Authentication Protocol, Massachusetts Institute of Technology.http://web.mit.edu/kerberos/www/
• Kerberos Frequently Asked Questions (U.S. Naval Research Laboratory). http://www.nrl.navy.mil/CCS/people/kenh/kerberos-faq.html
• Brian Tung, Kerberos, A Network Authentication System, Addison-Wesley, 1999.

Strong Auth Index Page