Components

The Distributed Authentication System (DAS) utilizes the following major components:

The system is hosted on two different servers, DAS-M (master) and DAS-S (slave). We are using Red Hat 9 on the DAS servers.

In addition, the system also employs the following:

Each of these items will be described in detail.


Overview Diagram for Entire System:


DAS Overview JPEG





Kerberos 5

Kerberos 5, hereafter referred to simply as "Kerberos" or "Kerb5", is a network authentication system developed at MIT. It uses cryptographic tickets in order to prevent plaintext passwords from being transmitted over the network. Kerberos is detailed in RFC-1510, which was published in 1993. Kerberos allows you to centralize your username and password information, and to keep it secure. The central resource is called a Key Distribution Center, or KDC.

There are two well-known freely available implementations of Kerb5. One is MIT Kerberos, and the other is Heimdal. This project uses MIT Kerberos on the KDC. Passwords are secured by Triple DES encryption in CBC mode.

What exactly can Kerberos do for us? It can allow us to login to hosts where we do not have a local account, using the same username and password anywhere in the organization. Kerberos can allow Perl or Apache web server authentication against the same usernames and passwords. There are also some applications that let you run in a Single Sign On (SSO) environment, such as Kerberized RLOGIN and Kerberized RSH. Kerberos also includes a suite of adminstrative tools that allow password and account management from anywhere on the network via encrypted sessions.

In addition to the aforementioned benefits, Kerberos is also used by AFS and OpenAFS (clustered network filesystems). The new version of NFS, NFSv4, mandates the use of Kerb5. NFSv4 will be a significant, standardized network file system available in open source operating systems soon. Therefore, if you want to enjoy the benefits of OpenAFS or NFSv4, you will need a Kerberos infrastructure.

For the purposes of setting up our DAS, we will be configuring two KDCs, a master and a slave. Replication occurs via the kpropd service. This redundancy allows for system maintenance and the occasional failure. Kerberos administrative functions are performed on the master. We are using Red Hat RPM packages to install the Kerb5 software on the DAS servers. This method was chosen in order to keep software patches and upgrades simple, as well as making installation relatively quick.

NIS (Sun's Network Information Service)

NIS was introduced in 1985 to aid in the deployment of NFS-equipped, networked workstations. It allows a master NIS server to serve "maps" of user, group, and network information to client machines over a network. RPC over TCP/UDP is used as the communications mechanism. NIS can use slave servers to increase reliability. NIS includes a number of client-side and server-side tools for configuring, testing, and using NIS. The protocol is well-understood, mature, and well documented. NIS is supported by most open source operating systems.

For our system, we will only be using NIS to provide consistent user, group, and host information. More maps can be added if desired, but are not currently needed in our environment. We will not be using NIS to handle passwords or password update. Kerberos handles the passwords, and NIS handles user and group information.

DAS has another NIS-related benefit: if you use NFS in your environment, having NIS already up and running will dramatically simplify things. NFS needs consistent, global UIDs and GIDs in order to work properly. Using the Linux "autofs" automounter to mount DAS user home directories via NFS works just fine. NIS provides naming, Kerberos provides authentication, and NFS/autofs can provide centralized home directories for your DAS users.

Note:  NIS was formerly called yp, short for Yellow Pages. Most NIS programs start with the letters "yp".

PAM (Pluggable Authentication Modules)

PAM allows integration of various authentication technologies into system entry services such as the login and su programs, without modifying the services. It was developed by Sun Microsystems for Solaris, but is widely available on other Unix and Unix-like operating systems, such as FreeBSD and GNU/Linux. In a nutshell, it makes login services independent from authentication technologies.

For the purposes of our authentication system, PAM will be configured and updated as necessary on client machines so that they may use Kerberos authentication. This involves the configuration of the portmapper and ypbind services, as well as the configuration of the

/etc/nsswitch.conf
file. If necessary, the pam_krb5 module will be installed.

NTP (Network Time Protocol)

NTP is used to synchronize the time of a computer client or server to another server or reference time source. It will easily keep hosts within milleseconds of each other. Time synchronization is required in Kerberos networks, since timestamps are part of the security checks that are performed before authentication can take place. The default maximum allowable clock skew in a Kerberos network is 5 minutes.

In order to keep host clocks within the allowable skew, we will run an NTP server (ntpd) on both DAS servers. Clients must use NTP via ntpd, ntpdate, or some other client program to maintain synchronization.

Administrative Tools

For the Kerberos principals database, we will use the kadmin program. Kadmin can be run on the KDC master (DAS-M), or it can be run remotely on a Kerberos client host. SSH will also be used to allow remote administration and file transfer for the DAS server hardware, software, and operating systems.

Security Mechanisms

The DAS servers employ TCP wrappers, the iptables packet filter, and other mechanisms to restrict access. Lab users will not have accounts on the DAS servers. The servers will run a minimal number of services.


System Diagrams

Click on the thumbnails to view full-sized images.

Kerberos+NIS DAS Overview with Comments:

Kerb5-NIS-DAS JPEG

DAS Ports, Daemons, and Applications Overview

DAS-Services JPEG

DAS Client Overview

DAS-Client JPEG

Login & Authentication Sequence of Events

Login Sequence JPEG


References

MIT Kerberos page
Kerberos Infrastructure HOWTO
Network Computing article on Kerberos
Kerberos overview by Cisco

NIS HOWTO for Linux

Sun Microsystems PAM page
Linux PAM page
Security Focus article on PAM (Part 1)    (Part 2)

NTP home page