Kerberos Active Directory for HP Thin Clients

advertisement
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
Kerberos Active Directory for HP Thin Clients
Anusha T1, Priya D2, Prashant Ramdas Naik3
1
Dept of ISE, R V College of Engineering, Karnataka, India
Assistant Professor, Dept of ISE, R V College of Engineering, Karnataka, India
3
Principle Software Designer, Hewlett Packard, India Software Operation Pvt Ltd, Mahadevpura Bangalore, Karnataka, India
2
A. HpnaBrowse
Thin Client Hpnabrowse is a command tool to access
citrix PNAgent services. An additional feature of
HPnabrowse is providing access gateways. This agent does
the functionality of enumeration of resources, resetting the
users password, launch connection to the published
resources, disconnect and reconnect to applications to the
web interface and other options.
Abstract-- A specialized field in computer networking
involves securing computer network infrastructure. In today’s
computing, organizations including universities and small to
medium-sized businesses have to credit a wide range of
services to its users. Many of these services require a form of
authentication and/or authorization to securely verify the
identities of users.
Thin clients are used in academic institutions, in financial
sectors, for training students, for research purpose and many
other areas of science. When every user logs into his/her
machine, it is essential to keep the identity of the user safe and
secure. Kerberos Active Directory (KAD) is a protocol for
client, server and a third party user, to perform security
verifications for users and services. Kerberos Active Directory
security protocol is used to authenticate Thin Client users. It
explains 3 mechanism of re-setting the passwords. KAD has
Key Distribution Centre (KDC) controlling the flow of tickets
between clients, servers and third party services. Session
tickets, service tickets and the file server tickets are verified to
grant access to a client and grant service from a file server.
B. Citrix Xen Server
VMWare, Xen or Hyper V are the different types of
servers. Citrix Xen Server is a free virtualization platform
which is based on Xen hypervisor which is open source
and has a Xen Center. Xen Center has multi-server
management console with core management features.
Features such as multi-server management, virtual machine
(VM) templates, snapshots, shared storage support,
resource pools and Xen Motion live migration as per paper
[1]. In addition, Citrix offers advanced management
capabilities in Citrix Essentials for Xen Server product line.
Citrix Essentials for Xen Server is available in number of
editions, like wise they are Enterprise and Platinum.
Keyword-- Kerberos Active Directory (KAD), Key
Distribution Centre (KDC), Ticket Granting Ticket (TGT),
Authentication, Citrix Xen Server, Thin Clients,
HPNabrowse, Fully Qualified Domain Name(FQDN,
SingleSign On (SSO).
I.
C. Xen App and Xen Desktop
Xen App and Xen Desktop are the resources residing on
the server farm. Xen App typically is for provisioning of
Applications like Notepad, Wordpad or Spreadsheets on a
per user basis. Xen Desktop is typically used for
provisioning customized Desktops to users. The
applications and desktops provisioned by XenAp and
XenDesktop are provisioned from the Virtual Machines
hosted in the server farm. These resources on the server are
accessed through Thin Client software or hardwares.
INTRODUCTION
KAD is a security protocol which makes use secret key
cryptography algorithm. It works on the basis of tickets to
allow nodes communicating over a non-secure network to
prove their identity to each other. In 1983, MIT developed
“Kerberos Active Directory Protocol” to protect the
network services provided by Project Athena. The
algorithm provides mutual authentication between client
and server over a non – secure network for communication.
Symmetric algorithm like AES, DES and 3 DES algorithms
for encryption and decryption are used. The symmetric
algorithm uses the same key for encryption and decryption
purpose.
D. Kerberos Active Directory
The primary design goal of Kerberos is to eliminate the
transmission of unencrypted passwords across the network.
When used properly, Kerberos eliminates the threat packet
sniffers effectively.
385
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
Table 1
Attributes of tickets
Another reason for using Kerberos is because of its open
source feature. Compared with Microsoft active directory,
Kerberos is more reliable in terms of cost and security. And
it meets the company’s requirement accurately. In linux
platform, several api’s are available, that helps in easier
integration and development.
As per paper [2],Kerberos client (can be either a user or
a service) requests for ticket to KDC. The KDC generates
ticket-granting ticket (TGT) for the client and encrypts the
ticket using the KDC key, and transmits the encrypted TGT
to the client. The client uses the same TGT to obtain other
service tickets, which provide the proof of the client's
identity. Users can enable with preauthentication. When
pre-authentication is enabled, a user must sign on to the
KDC by providing knowledge of secret information. Once
the identity requesting user for a ticket is confirmed, the
KDC returns a set of initial credentials for the user,
consisting of a ticket granting ticket (TGT) and a session
key. When a principal (user) needs to access the service
located on a file/service system, the KDC issues a service
ticket for the specific service. A service ticket can be
associated with one or more Kerberos-secured services on
the same system. The service ticket is usually used by a
client application on behalf of the user, to authenticate the
user to the Kerberos-secured network service. The
Kerberized client application handles the transactions with
the KDC. Service tickets and associated session keys are
cached in the user’s credentials cache file along with the
user’s TGT. The Kerberos stands for Authentication- The
confirmation that a user who is requesting services is a
valid user of the network services requested.
Authorization– The granting of specific types of service to
a user, based on their authentication, what services they are
requesting, and the current system state. Accounting: the
tracking of the consumption of network resource by users.
The Table .1 below, shows the attributes of tickets and their
description.
Number
386
Attribute of Ticket
Description
1.
tkt-vno
Version number of the
ticket
format.
In
Kerberos v.5 it is 5.
2.
Realm
Name of the realm
(domain) that issued the
ticket. A KDC can issue
tickets only for servers
in its own realm, so this
is also the name of the
server’s realm
3.
Sname
Name of the server.
4.
Flags
Ticket options
5.
Key
Session key.
6.
Crealm
Name of the client’s
realm (domain).
7.
Cname
Client’s name.
8.
Transited
9.
Authtime
10.
Starttime
Lists Kerberos realms
taking
part
in
authenticating the client
Time
of
initial
authentication by the
client. The KDC places
a timestamp in this field
when it issues a TGT.
When it issues tickets
based on a TGT, the
KDC
copies
the
authtime of the TGT to
the authtime of the
ticket
Time after which the
ticket is valid.
11.
Endtime
Ticket’s expiration time.
12.
renew-till
(Opt)
Maximum
endtime to be set in
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
ticket
with
RENEWABLE flag
13.
Caddr
14.
Authorization
Data
15.
FORWARDABLE
16.
FORWARDED
17.
PROXIABLE
18.
PROXY
19.
RENEWABLE
20.
INITIAL
II.
a
LITERATURE SURVEY
As per paper [3], it talks about Fabasoft Folio Web
Management using KAD, where the administrator of the
web management must have valid Kerberos ticket. The web
management runs on Microsoft Windows and Linux
system. For the Linux system, the Kerberos ticket is
provided automatically if LDAP and KDC environment is
available.
As per paper [4],KAD is incorporated by Hewlett
Packard Technologies, where HP has following
technologies that are tested with HP-UX Secure Shell:
Kerberos 5/GSS-API, IPv6, Trusted Systems, TCP
Wrappers, PAM (PAM_UNIX, PAM_Kerberos, and
PAM_LDAP).. HP-UX provides built-in support in a
secure environment for Secure Kerberized Internet services
such as ftp, rcp, rlogin, telnet, and remsh Use of Kerberos
in the CIFS environment provides significant security
improvements over the older NT LanManager (NTLM)
protocol traditionally used by CIFS Clients and Servers.
As per paper [5], likewise, a corporate company uses
KAD, allowing Linux and UNIX computers to authenticate
users with Microsoft Active Directory (AD). Since
Microsoft Windows 2000, AD's primary authentication
protocol has been Kerberos.
As per paper [6], Kerberos provides a good
infrastructure for enterprise SSO. The preponderance of
Microsoft
Active
Directory,
a
Kerberos-aware
authentication product, means that SSO is broadly
available. But unfortunately, configuring Linux and UNIX
computers to properly authenticate users via Kerberos is
difficult and error-prone.
But likewise allows Linux and UNIX computers to
authenticate users with Microsoft Active Directory. It also
configures the Kerberos infrastructure in Linux and UNIX
computers to communicate properly with AD. This
simplifies the work that has to be done to enable
Kerberized applications to support SSO. Likewise
automatically configures system login to authenticate with
AD and to support SSO when using SSH.
As per paper [7], Enterprise Identity Mapping (EIM) is a
lookup table where each user’s identities in user registries
are mapped to one identifier. Thus EIM enabled
applications can use registry and allow user to process
without further challenge. The Kerberos authentication of
users using SSO does not solve the problem of multiple
user registers for all class of users. It still requires
synchronising, all user ids, which is not always possible or
secure. Hence IBM has come up with Windows based SSO
and the EIM framework for IBM Iseries server.
(Opt) One or more
addresses from which
the ticket can be used. If
omitted, the ticket can
be used from any
address.
(Opt)
Privilege
attributes for the client.
Kerberos
does
not
interpret the contents
of
this
field.
Interpretation is left up
to the server
(TGT only) Tells the
ticket-granting service
that it can issue a new
TGT with a different
network address based
on the presented TGT.
Indicates either that a
TGT
has
been
forwarded or that a
ticket was issued from a
forwarded TGT
(TGT only) Tells the
ticket-granting service
that it can issue tickets
with a different network
address than the one in
the TGT.
Indicates
that
the
network address in the
ticket is different from
the one in the TGT used
to obtain the ticket.
Used in combination
with the end time and
renew-till fields to cause
tickets with long life
spans to be renewed at
the
renewable
periodically
(TGT only) Indicates
that this is a TGT.
387
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
As per paper [8], to facilitate more effective use of the
Kerberos ticket cache, a new format for referral data is
proposed. This method includes a list of alias names as part
of the returned referral information. The pseudo code for
the algorithm allows a MIT Kerberos client to request and
follow referrals from a Windows 2000 Kerberos KDC. It
removes the need for management and administration of
DNS to realm mapping files on Kerberos client hosts.
When both name canonicalization and referral resolution
problems are considered, Windows 2000 approach has
advantage over security and ease of administration. The
MIT Kerberos client’s better ticket cache utilization when
alias name is used, along with realm hierarchy, can be used
to reduce the number of exchanges with KDC.
As per paper [9], IBM makes use of multi factor
authentication over Kerberos protocol. It combines OneTime password and the Kerberos to achieve two factor
authentications.
As per paper [10], HP provides common card login to
Department of Defence personals (DOD) and other
contractors. It is used as general access card for
authentication to enable access to networks and computers.
Users are able to authenticate at the MFP by inserting their
CAC(Common Access Card) into an attached card reader
and entering a PIN, followed by certificate validation,
Kerberos authentication to the network, and Active
Directory data retrieval. After their card is accepted, the
user can send digitally signed e-mail or scan documents to
folders.
As per paper [11], Public key Kerberos (PKINIT) is a
standardized authentication and key establishment protocol,
used by the Windows active directory subsystem. The cardbased public key Kerberos is flawed. Even after card is
revoked, access to a user's card enables an adversary to
impersonate user. As a solution, the migration of the user's
private key from his computer to a smart card can have
severe implications to the security of the overall system.
The fix requires the KDC to initially send a nonce nS to the
terminal. This nonce is then added to the data signed by the
smart card and included in AS_REQ_ On reception of the
AS_REQ_ message, the KDC must also ensure that the
number nS in the message matches the number it
generated. Note that this fix requires a message from the
KDC to the terminal carrying the nonce, and a change to
the AS_REQ_ message to accommodate the additional
nonce.
As per paper [12], the first problem with LDAP is the
fact that it is an active directory. It means that it (LDAP
server) is being inundated with new queries. But an
authentication service should never have more traffic.
Since LDAP services provide more than just
authentication, LDAP is a poor candidate as an
authenticator. Kerberos incorporates the use of
cryptography in order to ensure the confidentiality of
authentication credentials. It is used in conjunction with a
LDAP server that only allows access from connections
where an authentication ticket has been granted.
As per paper [13], for Securing the storage systems
UNIX-based Kerberos version 5 servers for NFS storage
authenticationusing NFS version 3 and 4isused. NFS versio
n 4 is NFS Implementation and it mandates Kerberos
authentication to be a part of NFS client and server
specification. Integration of their storage systems with
Kerberos version 5 will lead in achieving strong NFS
storage authentication.
As per paper [14] Kerberos provides assurance that the
authenticated . Principal is an active participant in an
exchange. A by-product of the Kerberos authentication
protocol is the exchange of session key between client and
server. The session key is subsequently used by the
application to protect the integrity and privacy of
communications.
Kerberos system defines safe
message and private message to encapsulate data for
protection , but the application is free to use any method
better suited for particular data that is transmitted.
As per paper[15], Kerberos Encryption Technique for
authentication and transaction security is used in the
network. And also an Authentication Server that used to
derive a 64 bit key from user’s password is created.
Password is of arbitrary length. The generated key is then
used by authentication server, to encrypt ticket granting
the transaction server for validating an authentic
transaction.
III.
PROPOSED METHODOLOGY
A .Server configurations
All servers and clients that participate in a Kerberos
realm must be able to communicate with each other and
have accurate system clocks. Each server in a Kerberos
authentication realm must be assigned a FQDN that is
forward-resolvable. Kerberos must also have the server's
FQDN to be reverse-resolvable.
388
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
If reverse domain name resolution is not available, set
the rdns variable to false in clients' krb5.conf. Kerberos
must be set up to pass through all the firewalls between the
hosts. The realm name must be configured appropriately as
per [16]. The kadmin utility is an interface used to create
delete update the principals. The principals can be of 2
types. They are user and service.
For starting kadmin utility
$kadmin –p admin/admin
For addition of an use
kadmin: addprinc user
This authentication process is automatic: no password is
required to access network services as long as the user's
TGT is valid (for security purposes, tickets expire after a
period of time, and must be renewed). Services use files
called keytabs that contain a secret known only to the
service and the KDC. The user authenticates themselves to
the KDC and then requests information from the KDC that
is encrypted using the service's shared secret. This
encrypted message is sent to the client, which sends it to
the service. If the service can decrypt and read the message
(and the user passes other security checks), the service
accepts the user's identity. The security of a keytab is vital.
Malicious users with access to keytabs can impersonate
network services. To avoid this, secure the keytab's file
permissions with chmod, as per [13].
Testing the working of Kerberos and obtain the ticket from
realm.
Kinit –p admin@LAB.EXAMPLE.COM
Password for admin@LAB.EXAMPLE.COM: ***
C .System Behaviour
The figure1 shows the architecture of the system. The
four components – KDC, hpnabrowse, PNAAgent,
resource farm interacts with each other for resetting of
password and granting password. The user interacts with
the system with the help of a User Interface.
Step 1: Obtain user credentials, domain name and server
url.
Step2: Save the input parameters in an unintelligent format
for future usage.
Step 3 : Fetch the password configuration setting values .
Step 4: If value = “direct_method”, parse the url and make
request to the active directory for change of password.
Reset the values for tickets and post the request.
Step 5: If value = “proxy_method”, parse the url and make
request to PNagent for change of password.
Step 6: If value = ”direct_with_fall_back”, parse the url
and make request for direct method. If the password is not
updated, make request through PNagent path.
Step 7: If password is valid in either of the case from step
4, 5, 6, allow access for the user.
Step 8: If password does not meet the Kerberos password
requirement, deny the access for user.
Fig 1 System Architecture
B .Client configurations
The client settings need krb5-user, krb5-config and
libkadm55 packages. These packages are downloaded from
the main repository. The krb5-config installation
customizes the configuration file. In order to test the
operation of Kerberos, Ticket Granting ticket is requested
using the kinit command. The realm name is case sensitive.
The administrator is the substitute for valid Kerberos
Principal. Once the user is registered, using klist command,
the ticket details is viewed. The ticket expiration date, time,
principal name, and the time when the ticket can be
renewed is mentioned in the klist details. Kdestroy
command automatically destroys the issued ticket to the
principal and the ticket has to be obtained again. Once a
user has obtained a TGT using kinit, they can use it to
prove their identity to a network service such as file sharing
or printing.
389
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
Figure 2 shows the data flow diagram. The diagram
explains the flow of data at every stage. In the initials stage
the data are username, password, domain name, url. Users
passwords are encrypted in an unintelligent format and the
requests and responses from every node are handled in the
form of xml.
The figure 4 shows the new password does not meet
Kerberos requirement. A pop up message shows the result
of executed command.
Fig 4 Password expired case(2)
The figure 5 indicates the success message popping out
when the user has changed his password. And in order to
login to the machine he/she must use new set of credentials
Fig 2 Data Flow Diagram for all three components.
IV.
SCREEN SHOTS
Fig 3 User Interface for the user.
Figure 3 is the User Interface for the user to enter his/her
credentials. The dialog box has Name of the connection,
Server URL, username, password, Domain name and other
options for the user to launch the applications.
Fig 5 Dialog box for success message case (1)
390
International Journal of Emerging Technology and Advanced Engineering
Website: www.ijetae.com (ISSN 2250-2459, ISO 9001:2008 Certified Journal, Volume 4, Issue 5, May 2014)
The figure 6 shows where the password has to be reset.
It says that the user password is invalid and he must set his
passwords again for logging in.
Acknowledgement
Foremost, I would like to express my sincere gratitude to
my college guide and advisor Assistant Professor Priya. D
and Hewlett Packard office mentor Mr. Prashant Ramdas
Naik, for their motivation, enthusiasm, patience and
immense knowledge. Their guidance has helped me in all
time for completion of project and writing of this thesis .
My sincere thanks to Mr B.S Satyanarayana, Principal at
RVCE, Bangalore and Mr Karthick Tharakraj, R&D
Engineering Manager at Hewlett Packard Bangalore, for
giving me the opportunity to perform my MTech project at
HP. And also grateful to my parents, for supporting me
throughout my life.
REFERENCES
[1]
[2]
[3]
[4]
[5]
Fig 6 Updation Failed case (3)
[6]
V.
CONCLUSION
[7]
Kerberos Active Directory guards the user’s credentials.
The system has 3 mechanism of resetting the user’s
password. The first mechanism “Direct Method” as the
name suggests, the hpnabrowse agent communicates
directly with the active directory and authenticates the
users, which is a direct method. The second mechanism
“Proxy Method”, hpnabrowse communicates with the
PNAagent and the PNAagent communicates with Kerberos
Active Directory. The Third mechanism “Direct with Fall
Back”, if in case the Direct method fails, Proxy Method
will take over the responsibility of resetting the password.
The time duration for each of the connection gives an
important observation.
Direct Method for resetting of password is 0.04 seconds.
Proxy method for resetting of Password is 0.01 seconds.
Direct with Fall back approach gives the time duration of
0.06 seconds for resetting of passwords. Thus, it is feasible
to use proxy method while resetting user’s password
[8]
[9]
[10]
[11]
[12]
[13]
[14]
[15]
391
“Xen Server-Addressing the challenges of application and desktop
virtualization”, White Paper- Citrix, 2010.
Jose. L. Marquez, ”Kerberos Secure Athentication”, SANS Institute
InfoSec Reading Room, White Paper, 2001.
“Fabasoft on Linux Fabasoft Folio Web Management”, White Paper,
2013
”Kerberos”, Hewlett-Packard Development Company, White Paper,
2005
Manny Vellon, “Likewise Security Benefits”, Likewise Software,
White Paper, 2007
“Single Sign-On for kerberized Linux and Unix Applications”,
Likewise Enterprises, White Paper, 2007
“Windows-based Single Signon and the EIM Framework on the
IBM@server iSeries Server”, “RedBooks, White Paper, 2004.
Jonathan Trostle and Michael M. Swift, ”Implementation of
Crossrealm Referral Handling in the MIT Kerberos Client”, White
paper, 2000.
Sandeep Ramesh Patil, ”Implement two factor authentications for
AIX using Kerberos”, White Paper, 4th Nov 2008.
Hewlett Packard, ”HP MFP Smart Card Authentication Solution”,
White Paper, 2007.
Nikos Mavrogiannopoulos, Andreas Pashalidis and Bart Praneel,
“Security implications in Kerberos by the introduction of smart
cards”, ASIA CCS’12, May 2-4,2012, Seoul, Korea.
Charlie Obimbo and Benjamin Ferriman ,” Vulnerabilities of LDAP
as an Authentication Service”, Journal of Information Security.
2011, 2, 151-157.
Latesh Kumar K.J, “Securing Storage Appliances via Unix based
Kerberos Authentication”, International Journal of Computer
Applications(0975-8887)volume 65- No 1,March 2013.
B. Clifford Neuman and Theodore Ts'o, “Kerberos: An
Authentication Service for Computer Network”s, IEEE
Communications 32 (1994), no. 9, 33-38.[15]Garima Verma, Prof
R.P Arora,”Implementation of highly efficient Authentication and
transaction
Security”,International
Journal
of
Computer
Applications(0975-8887)volume 21- No 3, May 2011
“Kerberos community help wiki”,(n. d), Retrieved from
https://help.ubuntu.com/community/Kerberos
Download