SHARE
TWEET

Andrew's Magnum Opus

wtmhahagd Oct 6th, 2014 254 Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. <ahamilto> anyways
  2. <ahamilto> -----BEGIN KERBEROS EXPLANATION-----
  3. <zan> (i hope that drink is diet coke, would hate to make you turn to alcohol because of my lack of reading comprehension)
  4. <ahamilto> so Kerberos servers are called KDCs or Key Distribution Centers
  5. <ahamilto> KDCs can either be dedicated servers (like in the syslab) or built into a package (like with Microsoft Active Directory)
  6. <ahamilto> KDCs store principals
  7. <ahamilto> principals can be issued  to users, computers, or servers
  8. <ahamilto> *services
  9. <ahamilto> user principals are generally of the form username@REALM or username/role@REALM
  10. <zan> so is 2016zan@tjhsst.edu my principal?
  11. <ahamilto> no
  12. <zan> or 2016zan/student@tjhsst.edu or similar?
  13. <ahamilto> no
  14. <ahamilto> I'll get to that
  15. <zan> okay
  16. <ahamilto> host principals are generally of the form host/Fully Qualified Domain Name@REALM; eg host/iodine.tjhsst.edu@CSL.TJHSST.EDU
  17. * `bjones grabs ahamilto's and srepetsk's drink to throw in his own eyes
  18. <`bjones> er, *drinks
  19. <ahamilto> service principals are issued to services running on a host and are generally of the form service/FQDN of server; eg ldap/openldap1.tjhsst.edu@CSL.TJHSST.EDU
  20. <ahamilto> now realms
  21. <ahamilto> a realm can be roughly generalized to an organization or network
  22. <ahamilto> at TJ we have two realms
  23. <zan> windows and linux?
  24. <ahamilto> CSL.TJHSST.EDU is the realm that covers the CSL network; all of the CSL servers have host principals issued from this realm and admins generally have various principals here as well
  25. <ahamilto> LOCAL.TJHSST.EDU is the windows realm where all of the windows computers and all students/staff have principals
  26. <ahamilto> zan: to answer your earlier question, your principal is 2016zan@LOCAL.TJHSST.EDU
  27. <ahamilto> "But then how do I log into CSL services you might ask"; well Kerberos realms have this neat thing called trust
  28. <zan> even if I log in to serenity? Wouldn't I be 2016zan@CSL.TJHSST.EDU then?
  29. <ahamilto> no
  30. <zan> Oh, I get one principal, period
  31. <ahamilto> CSL.TJHSST.EDU and LOCAL.TJHSST.EDU trust eachother and (simplified for now) CSL.TJHSST.EDU machines will accept a LOCAL.TJHSST.EDU principal
  32. <ahamilto> zan: in your case yes
  33. <ahamilto> zan: it is possible to have both (I have both as does affiliated and sdamashek)
  34. <ahamilto> and a bunch of people for that matter but unimportant
  35. <ahamilto> so, we have a realm, we have our principals
  36. <ahamilto> let's say you decide to log into serenity
  37. <ahamilto> you enter a username and password
  38. <ahamilto> serenity is configured to validate these via Kerberos
  39. <ahamilto> so serenity is going to go find a KDC to talk to
  40. <`bjones> serenity is a transport ship
  41. <ahamilto> `bjones: yes, Firefly class
  42. <`bjones> exactly
  43. <ahamilto> so serenity goes and asks the KDC (hey, can you validate these credentials for me)
  44. <ahamilto> KDC hopefully does so (assuming you entered your password right) and returns to serenity a TGT or ticket-granting-ticket
  45. <ahamilto> a TGT is a temporary proof of your identity; it functions like an ID badge but with an expiration time (typically 8 hours after it was issued)
  46. <ahamilto> the purpose of issuing a TGT is to allow you to subsequently authenticate yourself to other systems without needing to re-enter your password every time
  47. <ahamilto> in the syslab this is used for accessing your homedir
  48. <ahamilto> right after you validate your kerberos credentials and get your TGT
  49. <zan> So that's what I was thinking of when I wrote #3, then
  50. <ahamilto> serenity goes and talks to the AFS servers and says "hey, 2016zan wants access to his homedir, here is his TGT"
  51. <ahamilto> the AFS server then goes to the KDC and says "hey, can you verify for me that this ticket is valid"
  52. <ahamilto> KDC says "who the hell are you"
  53. <ahamilto> AFS server replies "I'm host/afsserver.csl.tjhsst.edu, here's my host principal"
  54. <ahamilto> KDC says "Ok, you're good and the ticket is good"
  55. <`bjones> !praise headaches
  56. <tjhsstBot> headaches: Your skin emanates such a porcelain sheen that I am  tempted to stamp WC under your bosom and across your armpits.
  57. <ahamilto> important note about time, all of the messages above are timestamped
  58. <ahamilto> the KDC will not accept messages that are too old or too far into the future
  59. <ahamilto> default window is usually +-5 minutes
  60. <ahamilto> this is a security measure
  61. <ahamilto> you can't record me requesting an admin ticket and replay it later
  62. <zan> How would it be negative?
  63. <ahamilto> the KDC looks at the time and goes hell no
  64. <ahamilto> zan: if the KDC clock is slower than the client then from the perspective of the KDC, the client is in the future
  65. <jwoglom> zan: time differences between server and client
  66. <`bjones> it actually literally says that
  67. <`bjones> !slogan the future
  68. <tjhsstBot> There's lots of fun in the future.
  69. <ahamilto> therefore, pretty much every kerberos deployment uses NTP to keep the clocks synched otherwise kerberos dies
  70. <`bjones> !slogan dead puppy
  71. <tjhsstBot> Nothing to worry about with dead puppy.
  72. <ahamilto> questions, comments, concerns?
RAW Paste Data
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy. OK, I Understand
 
Top