API tools faq
paste
Advertisement
wtmhahagd

Andrew's Magnum Opus

wtmhahagd
Oct 6th, 2014
277
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.96 KB | None | 0 0
raw download clone embed print report
  1. <ahamilto> anyways
  2. <ahamilto> -----BEGIN KERBEROS EXPLANATION-----
  3. <zan> (i hope that drink is diet coke, would hate to make you turn to alcohol because of my lack of reading comprehension)
  4. <ahamilto> so Kerberos servers are called KDCs or Key Distribution Centers
  5. <ahamilto> KDCs can either be dedicated servers (like in the syslab) or built into a package (like with Microsoft Active Directory)
  6. <ahamilto> KDCs store principals
  7. <ahamilto> principals can be issued to users, computers, or servers
  8. <ahamilto> *services
  9. <ahamilto> user principals are generally of the form username@REALM or username/role@REALM
  10. <zan> so is 2016zan@tjhsst.edu my principal?
  11. <ahamilto> no
  12. <zan> or 2016zan/student@tjhsst.edu or similar?
  13. <ahamilto> no
  14. <ahamilto> I'll get to that
  15. <zan> okay
  16. <ahamilto> host principals are generally of the form host/Fully Qualified Domain Name@REALM; eg host/iodine.tjhsst.edu@CSL.TJHSST.EDU
  17. * `bjones grabs ahamilto's and srepetsk's drink to throw in his own eyes
  18. <`bjones> er, *drinks
  19. <ahamilto> service principals are issued to services running on a host and are generally of the form service/FQDN of server; eg ldap/openldap1.tjhsst.edu@CSL.TJHSST.EDU
  20. <ahamilto> now realms
  21. <ahamilto> a realm can be roughly generalized to an organization or network
  22. <ahamilto> at TJ we have two realms
  23. <zan> windows and linux?
  24. <ahamilto> CSL.TJHSST.EDU is the realm that covers the CSL network; all of the CSL servers have host principals issued from this realm and admins generally have various principals here as well
  25. <ahamilto> LOCAL.TJHSST.EDU is the windows realm where all of the windows computers and all students/staff have principals
  26. <ahamilto> zan: to answer your earlier question, your principal is 2016zan@LOCAL.TJHSST.EDU
  27. <ahamilto> "But then how do I log into CSL services you might ask"; well Kerberos realms have this neat thing called trust
  28. <zan> even if I log in to serenity? Wouldn't I be 2016zan@CSL.TJHSST.EDU then?
  29. <ahamilto> no
  30. <zan> Oh, I get one principal, period
  31. <ahamilto> CSL.TJHSST.EDU and LOCAL.TJHSST.EDU trust eachother and (simplified for now) CSL.TJHSST.EDU machines will accept a LOCAL.TJHSST.EDU principal
  32. <ahamilto> zan: in your case yes
  33. <ahamilto> zan: it is possible to have both (I have both as does affiliated and sdamashek)
  34. <ahamilto> and a bunch of people for that matter but unimportant
  35. <ahamilto> so, we have a realm, we have our principals
  36. <ahamilto> let's say you decide to log into serenity
  37. <ahamilto> you enter a username and password
  38. <ahamilto> serenity is configured to validate these via Kerberos
  39. <ahamilto> so serenity is going to go find a KDC to talk to
  40. <`bjones> serenity is a transport ship
  41. <ahamilto> `bjones: yes, Firefly class
  42. <`bjones> exactly
  43. <ahamilto> so serenity goes and asks the KDC (hey, can you validate these credentials for me)
  44. <ahamilto> KDC hopefully does so (assuming you entered your password right) and returns to serenity a TGT or ticket-granting-ticket
  45. <ahamilto> a TGT is a temporary proof of your identity; it functions like an ID badge but with an expiration time (typically 8 hours after it was issued)
  46. <ahamilto> the purpose of issuing a TGT is to allow you to subsequently authenticate yourself to other systems without needing to re-enter your password every time
  47. <ahamilto> in the syslab this is used for accessing your homedir
  48. <ahamilto> right after you validate your kerberos credentials and get your TGT
  49. <zan> So that's what I was thinking of when I wrote #3, then
  50. <ahamilto> serenity goes and talks to the AFS servers and says "hey, 2016zan wants access to his homedir, here is his TGT"
  51. <ahamilto> the AFS server then goes to the KDC and says "hey, can you verify for me that this ticket is valid"
  52. <ahamilto> KDC says "who the hell are you"
  53. <ahamilto> AFS server replies "I'm host/afsserver.csl.tjhsst.edu, here's my host principal"
  54. <ahamilto> KDC says "Ok, you're good and the ticket is good"
  55. <`bjones> !praise headaches
  56. <tjhsstBot> headaches: Your skin emanates such a porcelain sheen that I am tempted to stamp WC under your bosom and across your armpits.
  57. <ahamilto> important note about time, all of the messages above are timestamped
  58. <ahamilto> the KDC will not accept messages that are too old or too far into the future
  59. <ahamilto> default window is usually +-5 minutes
  60. <ahamilto> this is a security measure
  61. <ahamilto> you can't record me requesting an admin ticket and replay it later
  62. <zan> How would it be negative?
  63. <ahamilto> the KDC looks at the time and goes hell no
  64. <ahamilto> zan: if the KDC clock is slower than the client then from the perspective of the KDC, the client is in the future
  65. <jwoglom> zan: time differences between server and client
  66. <`bjones> it actually literally says that
  67. <`bjones> !slogan the future
  68. <tjhsstBot> There's lots of fun in the future.
  69. <ahamilto> therefore, pretty much every kerberos deployment uses NTP to keep the clocks synched otherwise kerberos dies
  70. <`bjones> !slogan dead puppy
  71. <tjhsstBot> Nothing to worry about with dead puppy.
  72. <ahamilto> questions, comments, concerns?
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!