Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Nächste Überarbeitung | Vorhergehende Überarbeitung | ||
wiki:kerberos [2013/01/30 15:56] – angelegt wyneken | wiki:kerberos [2022/03/17 16:51] (aktuell) – angelegt wyneken | ||
---|---|---|---|
Zeile 2: | Zeile 2: | ||
+ | ===== Kerberos-Ticket ===== | ||
- | Wenn man sich einloggt, bekommt man automatisch ein Kerberos-Ticket. Mit dem Befehl '' | ||
- | Die Default-Lebensdauer der Tickets werden in ''/ | + | Wenn man sich einloggt, bekommt man automatisch ein Kerberos-Ticket. Mit dem Befehl '' |
+ | |||
+ | < | ||
+ | $ klist | ||
+ | Ticket cache: FILE:/ | ||
+ | Default principal: wyneken2@PUBLIC.ADS.UNI-FREIBURG.DE | ||
+ | |||
+ | Valid starting | ||
+ | 01/30/13 15: | ||
+ | renew until 01/31/13 15:57:29 | ||
+ | 01/30/13 15: | ||
+ | renew until 01/31/13 15:57:29 | ||
+ | </ | ||
+ | |||
+ | |||
+ | ===== Lebensdauer der Tickets ===== | ||
+ | |||
+ | |||
+ | Die Default-Lebensdauer der Tickets werden in ''/ | ||
+ | |||
+ | Wenn ein Ticket ausläuft, kann man auf das Homeverzeichnis nicht mehr zugreifen. In diesem Fall kann man sich mit mit dem Befehl '' | ||
+ | |||
+ | Mit der Option '' | ||
kinit -l 30d | kinit -l 30d | ||
Zeile 12: | Zeile 34: | ||
Vgl. '' | Vgl. '' | ||
- | Die Tickets werden in einer Datei im Verzeichnis /tmp gehalten, | + | ==== Tickets automatisch erneuern für einen längeren Job ==== |
+ | |||
+ | Wenn man einen Job hat, der länger geht als der aktuelle Ticket es erlaubt, setzt man den Befehl '' | ||
+ | |||
+ | Zunächst richtet man eine neue Datei ein, in der man den Ticket speichert: | ||
+ | |||
+ | export KRB5CCNAME=/ | ||
+ | |||
+ | Der Dateiname in /tmp kann natürlich auch anders sein. | ||
+ | |||
+ | Dann kinit aufrufen: | ||
+ | |||
+ | kinit -r28day | ||
+ | |||
+ | Das generiert einen Ticket, der 28 Tage lang gültig ist. | ||
+ | |||
+ | Schließlich starte man den Job mit '' | ||
+ | |||
+ | krenew -k / | ||
+ | |||
+ | Mehr Details mit '' | ||
+ | ===== " | ||
+ | |||
+ | |||
+ | Die Tickets werden in einer Datei im Verzeichnis /tmp gehalten, | ||
Es ist möglich, sich ein erneuerbares Ticket erstellen zu lassen: | Es ist möglich, sich ein erneuerbares Ticket erstellen zu lassen: | ||
Zeile 31: | Zeile 77: | ||
fi | fi | ||
</ | </ | ||
+ | |||
+ | ===== Tickets löschen ===== | ||
+ | |||
+ | Mit dem Befehl '' | ||
+ | |||
+ | :!: Die Tickets werden aber __noch eine Weile gecachet__, und man kann noch eine bis 1 1/2 Stunde auf das Homeverzeichnis zugreifen. | ||
+ | |||
+ | Es heißt, dass man eigentlich beim Ausloggen etwa in '' | ||
+ | |||
+ | ===== Kerberos und Condor ===== | ||
+ | |||
+ | Das ist ein potentielles Problem, aber es heißt, man kann Condor so einrichten, dass es in einer Kerberos-Umgebung gut funktioniert. Momentan ist das also "work in progress" | ||
+ | |||
+ | ===== Infos und Links zu Schwachstellen von Kerberos ===== | ||
+ | |||
+ | * Von http:// | ||
+ | |||
+ | < | ||
+ | One practical problem with Kerberos is that the tickets eventually expire. A practical | ||
+ | balance has to be made between the desire to reduce the usefulness of stolen tickets | ||
+ | (short lifetime) versus the ease-of-use for the user (long lifetime). | ||
+ | |||
+ | This problem becomes a much larger issue when dealing with long-running user processes. | ||
+ | Jobs run on some supercomputer systems can run for days or weeks, but having tickets that | ||
+ | last that long can be a security nightmare. | ||
+ | |||
+ | The compromise for this problem that was introduced in Kerberos 5 is the support for | ||
+ | renewable tickets. Renewable tickets have expiration times, like normal tickets. However, | ||
+ | they also have a maximum renewable lifetime. | ||
+ | |||
+ | A renewable ticket can be renewed by asking the KDC for a new ticket with an extended | ||
+ | lifetime. However, the ticket itself has to be valid (in other words, you cannot renew a | ||
+ | ticket that has expired; you have to renew it before it expires). A renewable ticket can | ||
+ | be renewed up until the maximum renewable ticket lifetime. | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | * http:// | ||
+ | |||
+ | **Subject: 1.18. Are there any known weaknesses in Kerberos?** | ||
+ | |||
+ | < | ||
+ | Kerberos makes no provisions for host security; it assumes that it is running on trusted | ||
+ | hosts with an untrusted network. If your host security is compromised, | ||
+ | compromised as well. | ||
+ | |||
+ | However, the degree to which Kerberos is compromised depends on the host that is | ||
+ | compromised. If an attacker breaks into a multi-user machine and steals all of the tickets | ||
+ | stored on that machine, he can impersonate the users who have tickets stored on that | ||
+ | machine …. but only until those tickets expire. | ||
+ | |||
+ | Kerberos uses a principal' | ||
+ | identity. If a user's Kerberos password is stolen by an attacker, then the attacker can | ||
+ | impersonate that user with impunity. | ||
+ | |||
+ | Since the KDC holds all of the passwords for all of the principals in a realm, if host | ||
+ | security on the KDC is compromised, | ||
+ | |||
+ | In Kerberos 4, authenticators are valid for 5 minutes. If an attacker sniffs the network | ||
+ | for authenticators, | ||
+ | access to the same service you used. Kerberos 5 introduced a replay cache which prevents | ||
+ | any authenticator from being used more than once. | ||
+ | |||
+ | Since anybody can request a TGT for any user, and that ticket is encrypted with the user's | ||
+ | secret key (password), it is simple to perform a offline attack on this ticket by trying | ||
+ | to decrypt it with different passwords. Kerberos 5 introduced preauthentication to solve | ||
+ | this problem. | ||
+ | </ | ||
+ | |||
+ | |||
+ | ---- | ||
+ | |||
+ | * http:// | ||
+ | |||
+ | < | ||
+ | Kerberos doesn' | ||
+ | environment in which there is one user per workstation. Because of the difficulty of | ||
+ | sharing data between different processes running on the same UNIX computer, Kerberos keeps | ||
+ | tickets in the /tmp directory. If a user is sharing the computer with several other | ||
+ | people, it is possible that the user's tickets can be stolen, that is, copied by an | ||
+ | attacker. Stolen tickets can then be used to obtain fraudulent service | ||
+ | </ | ||
+ | |||
+ | ---- | ||
+ | |||
+ | * http:// | ||
+ | |||
+ | < | ||
+ | Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen | ||
+ | if someone gains access to a computer where they are stored. If this happens, the person | ||
+ | who has them can masquerade as you until they expire. For this reason, you should destroy | ||
+ | your Kerberos tickets when you are away from your computer. | ||
+ | </ | ||
+ | |||
+ |