Unterschiede
Hier werden die Unterschiede zwischen zwei Versionen angezeigt.
Beide Seiten der vorigen RevisionVorhergehende ÜberarbeitungNächste Überarbeitung | Vorhergehende Überarbeitung | ||
wiki:kerberos [2013/01/31 15:19] – [Interessante Links zu Kerberos] wyneken | wiki:kerberos [2022/03/17 16:51] (aktuell) – angelegt wyneken | ||
---|---|---|---|
Zeile 1: | Zeile 1: | ||
====== Umgang mit Kerberos ====== | ====== Umgang mit Kerberos ====== | ||
+ | |||
===== Kerberos-Ticket ===== | ===== Kerberos-Ticket ===== | ||
Zeile 33: | Zeile 34: | ||
Vgl. '' | Vgl. '' | ||
+ | ==== Tickets automatisch erneuern für einen längeren Job ==== | ||
+ | |||
+ | Wenn man einen Job hat, der länger geht als der aktuelle Ticket es erlaubt, setzt man den Befehl '' | ||
+ | |||
+ | Zunächst richtet man eine neue Datei ein, in der man den Ticket speichert: | ||
+ | |||
+ | export KRB5CCNAME=/ | ||
+ | |||
+ | Der Dateiname in /tmp kann natürlich auch anders sein. | ||
+ | |||
+ | Dann kinit aufrufen: | ||
+ | |||
+ | kinit -r28day | ||
+ | |||
+ | Das generiert einen Ticket, der 28 Tage lang gültig ist. | ||
+ | |||
+ | Schließlich starte man den Job mit '' | ||
+ | |||
+ | krenew -k / | ||
+ | |||
+ | Mehr Details mit '' | ||
===== " | ===== " | ||
Zeile 58: | Zeile 80: | ||
===== Tickets löschen ===== | ===== Tickets löschen ===== | ||
- | Mit dem Befehl '' | + | Mit dem Befehl '' |
+ | |||
+ | :!: Die Tickets werden aber __noch | ||
Es heißt, dass man eigentlich beim Ausloggen etwa in '' | Es heißt, dass man eigentlich beim Ausloggen etwa in '' | ||
Zeile 66: | Zeile 90: | ||
Das ist ein potentielles Problem, aber es heißt, man kann Condor so einrichten, dass es in einer Kerberos-Umgebung gut funktioniert. Momentan ist das also "work in progress" | Das ist ein potentielles Problem, aber es heißt, man kann Condor so einrichten, dass es in einer Kerberos-Umgebung gut funktioniert. Momentan ist das also "work in progress" | ||
- | ===== Infos und Links zu Kerberos ===== | + | ===== Infos und Links zu Schwachstellen von Kerberos ===== |
- | * Von http:// | + | * Von http:// |
- | One practical problem with Kerberos is that the tickets eventually expire. A practical balance has to be made between the desire to reduce the usefulness of stolen tickets (short lifetime) versus the ease-of-use for the user (long lifetime). | + | < |
+ | One practical problem with Kerberos is that the tickets eventually expire. A practical | ||
+ | balance has to be made between the desire to reduce the usefulness of stolen tickets | ||
+ | (short lifetime) versus the ease-of-use for the user (long lifetime). | ||
- | This problem becomes a much larger issue when dealing with long-running user processes. Jobs run on some supercomputer systems can run for days or weeks, but having tickets that last that long can be a security nightmare. | + | This problem becomes a much larger issue when dealing with long-running user processes. |
+ | Jobs run on some supercomputer systems can run for days or weeks, but having tickets that | ||
+ | last that long can be a security nightmare. | ||
- | The compromise for this problem that was introduced in Kerberos 5 is the support for renewable tickets. Renewable tickets have expiration times, like normal tickets. However, they also have a maximum renewable lifetime. | + | The compromise for this problem that was introduced in Kerberos 5 is the support for |
+ | renewable tickets. Renewable tickets have expiration times, like normal tickets. However, | ||
+ | they also have a maximum renewable lifetime. | ||
- | A renewable ticket can be renewed by asking the KDC for a new ticket with an extended lifetime. However, the ticket itself has to be valid (in other words, you cannot renew a ticket that has expired; you have to renew it before it expires). A renewable ticket can be renewed up until the maximum renewable ticket lifetime. | + | A renewable ticket can be renewed by asking the KDC for a new ticket with an extended |
+ | lifetime. However, the ticket itself has to be valid (in other words, you cannot renew a | ||
+ | ticket that has expired; you have to renew it before it expires). A renewable ticket can | ||
+ | be renewed up until the maximum renewable ticket lifetime. | ||
+ | </ | ||
+ | |||
+ | ---- | ||
* http:// | * http:// | ||
Zeile 82: | Zeile 119: | ||
**Subject: 1.18. Are there any known weaknesses in Kerberos?** | **Subject: 1.18. Are there any known weaknesses in Kerberos?** | ||
- | Kerberos makes no provisions for host security; it assumes that it is running on trusted hosts with an untrusted network. If your host security is compromised, | + | < |
+ | Kerberos makes no provisions for host security; it assumes that it is running on trusted | ||
+ | hosts with an untrusted network. If your host security is compromised, | ||
+ | compromised as well. | ||
- | However, the degree to which Kerberos is compromised depends on the host that is compromised. If an attacker breaks into a multi-user machine and steals all of the tickets stored on that machine, he can impersonate the users who have tickets stored on that machine …. but only until those tickets expire. | + | However, the degree to which Kerberos is compromised depends on the host that is |
+ | compromised. If an attacker breaks into a multi-user machine and steals all of the tickets | ||
+ | stored on that machine, he can impersonate the users who have tickets stored on that | ||
+ | machine …. but only until those tickets expire. | ||
- | Kerberos uses a principal' | + | Kerberos uses a principal' |
+ | identity. If a user's Kerberos password is stolen by an attacker, then the attacker can | ||
+ | impersonate that user with impunity. | ||
- | Since the KDC holds all of the passwords for all of the principals in a realm, if host security on the KDC is compromised, | + | Since the KDC holds all of the passwords for all of the principals in a realm, if host |
+ | security on the KDC is compromised, | ||
- | In Kerberos 4, authenticators are valid for 5 minutes. If an attacker sniffs the network for authenticators, | + | In Kerberos 4, authenticators are valid for 5 minutes. If an attacker sniffs the network |
+ | for authenticators, | ||
+ | access to the same service you used. Kerberos 5 introduced a replay cache which prevents | ||
+ | any authenticator from being used more than once. | ||
- | Since anybody can request a TGT for any user, and that ticket is encrypted with the user's secret key (password), it is simple to perform a offline attack on this ticket by trying to decrypt it with different passwords. Kerberos 5 introduced preauthentication to solve this problem. | + | Since anybody can request a TGT for any user, and that ticket is encrypted with the user's |
+ | secret key (password), it is simple to perform a offline attack on this ticket by trying | ||
+ | to decrypt it with different passwords. Kerberos 5 introduced preauthentication to solve | ||
+ | this problem. | ||
+ | </ | ||
+ | |||
+ | |||
+ | ---- | ||
* http:// | * http:// | ||
- | Kerberos doesn' | + | < |
+ | Kerberos doesn' | ||
+ | environment in which there is one user per workstation. Because of the difficulty of | ||
+ | sharing data between different processes running on the same UNIX computer, Kerberos keeps | ||
+ | tickets in the /tmp directory. If a user is sharing the computer with several other | ||
+ | people, it is possible that the user's tickets can be stolen, that is, copied by an | ||
+ | attacker. Stolen tickets can then be used to obtain fraudulent service | ||
+ | </ | ||
+ | |||
+ | ---- | ||
* http:// | * http:// | ||
- | Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen if someone gains access to a computer where they are stored. If this happens, the person who has them can masquerade as you until they expire. For this reason, you should destroy your Kerberos tickets when you are away from your computer. | + | < |
+ | Your Kerberos tickets are proof that you are indeed yourself, and tickets could be stolen | ||
+ | if someone gains access to a computer where they are stored. If this happens, the person | ||
+ | who has them can masquerade as you until they expire. For this reason, you should destroy | ||
+ | your Kerberos tickets when you are away from your computer. | ||
+ | </ | ||
+ |