Remote access. Contents

Transcription

1 Remote access Per Sedholm Systemgruppen CSC November 26, 2010 Contents 1 Remote access Key fingerprints Terminal access File transfer X11 forwarding, GSSAPI Connecting to MS Windows remotely Ubuntu Mac OS X Windows Setting up Kerberos Mac OS X Ubuntu / Linux MS Windows X11 and GSSAPI from Windows MIT Kerberos configuration PuTTY configuration WinSCP configuration Xming Background information on Kerberos Introduction to Kerberos Tickets Ticket forwarding (credential delegation) More information about Kerberos Installing Kerberos Configuring Kerberos Most UNIX and Linux-distributions Mac OS X Using Kerberos UNIX/Linux, including Mac OS X

2 Remote access Various forms of remote access can be used to retrieve files or use other resources at CSC. You are required to use a secure login method, where passwords are never sent in clear text over the Internet. The recommended method is to use SSH, which is available for all common operating systems, usually installed by default. Other login methods (telnet) can be used, but only Kerberized versions. The best way to use SSH from a UNIX or UNIX-like operating system, is to authenticate on the local computer, and then use ticket forwarding (credential delegation) to log in to the remote system. In practise, this will allow you to open both command-line and file transfer sessions without entering your password after the initial authentication. Many other services and protocol can also use Kerberos authentication, providing single sign-on capability. However, since not all systems support ticket forwarding, the remote terminal servers also allow normal password login. The servers you can use are s-shell.csc.kth.se (Solaris) u-shell.csc.kth.se (Ubuntu) Key fingerprints If you do not use Kerberos for host verification, you may be asked to confirm the key fingerprint for the server. This may be presented as a series of hexadecimal digits, or with artificial words. Both RSA and DSA keys can be used. For s-shell.csc.kth.se, the fingerprint is DSA 7f:11:70:56:2f:9b:4b:7e:f5:a6:58:cc:9d:4f:cd:46 xukiz-duhuk-tokup-hegeh-pesal-cadyk-fityr-firuz-pusen-molav-toxix RSA f3:1e:d0:28:9a:b1:5f:78:b5:25:17:1c:e0:4a:38:22 xiton-suhom-vomyn-tymim-misid-ruteh-dumik-kufub-duzul-sizyg-tixux For u-shell.csc.kth.se, the fingerprint is DSA 72:44:f8:5a:31:5f:e9:ba:47:d0:65:9c:7d:26:fc:8b xikak-sugok-zypet-sufyt-dibec-melac-dugin-fulas-bydyb-forob-saxyx RSA 74:67:64:77:81:e9:61:c2:7d:ff:87:58:68:25:d0:6c xumas-dupos-mezeg-lygut-mefok-lovep-fibed-munod-sulam-retyt-vyxex CSC s employees also have access to the host faun.nada.kth.se. Access to faun is restricted, students can t log in there. DSA a7:bb:2e:b7:a7:c7:2e:9a:5c:dd:3e:6d:22:ce:80:5a xugiz-dodyb-hytov-sidec-mafor-pamek-ruryg-vymok-guram-duhes-lyxux RSA aa:37:99:20:ba:ab:e3:1b:4b:11:58:1c:9d:8b:ab:1a xudem-mazes-tuvok-cykuh-vadaz-facek-dimuk-fysoz-fubes-geban-vexex 1

3 Terminal access All UNIX-like operating systems (Linux, BSD, Mac OS X, etc) will have an SSH client, unless it is deliberately excluded during the installation. For MS Windows, several clients are freely available; the most common is probably PuTTY. (More on PuTTY below.) A remote session using OS X s default settings When you log in, you use your local computer (client), to access a remote host (server). Typically, you open a terminal window and enter ssh «username»@u-shell.csc.kth.se When connecting between different CSC systems, you don t need to specify your username, since it is the same at both client and server. CSC have also configured all terminal room computers to both authenticate with Kerberos, and delegate credentials; you should not need to enter your password when remotely accessing other CSC computers. On MS Windows, PuTTY and most other SSH clients have an integrated terminal window, but command-line versions are also available. Kerberos support is becoming available, but not all applications support it. PuTTY: a free telnet/ssh client uk/~sgtatham/putty/ File transfer In Linux and UNIX systems, most file managers can use SFTP. Usually, you can enter the directory name sftp://«user»@host.csc.kth.se/«path» to access a remote directory, and then drag-and-drop files between that window and others on your system. On Mac OS X, there is no graphical SFTP client installed by default. There is a command-line version, and you can also install a client such as Cyberduck, a free application which is also installed on CSC s Macs. Cyberduck Unfortunately, unlike OS X s command-line version of SFTP, Cyberduck does not currently support Kerberos login. You will therefore be prompted for your password. 2

4 Remote SFTP using Cyberduck and command-line On MS Windows, you can use for example WinSCP. The latest version (as of October 2010) supports Kerberos authentication, but not forwarding of credentials. For this reason, logging in with password authentication may be necessary. On CSC s Windows computers, you can use OpenAFS, to transfer files directly to your UNIX home directory. For more information on WinSCP, see below. Using WinSCP for file transfer X11 forwarding, GSSAPI X11 forwarding allow you to run applications on the remote server, but display them on the local client. This can be used to run applications that are not available on the client, or to directly access files only available on the server. The downside is that the network usage is high. A slow connection will cause high latency clicking a button will cause a measurable delay before the application reacts. X11 forwarding requires a local X server. This is available by default on all UNIX-like operating systems; on MS Windows you will need to install one separately, for example Xming. GSSAPI is used to delegate credentials. With SSH, you can use it to (Called GSSAPIKeyEx- Verify the host rather than using a key fingerprint. change in SSH s configuration file.) A note on terminology. In X11 parlance, the X server is the program that interacts with the display hardware (graphics card, screen, etc) to display images on request from an application, the X client. Somewhat confusingly, this means that the X server runs locally, on your (SSH) client, and the X client on the (SSH) server, remotely. 3

5 Authenticate so you don t need to enter a password to log in to the server. (GSSAPIAuthentication.) Forward Kerberos keys allowing you to access files (which requires AFS tokens) and other resources on the server. (GSSAPIDelegateCredentials.) To enable this, add the following to SSH s configuration file (typically /etc/ssh/ssh_config for system-wide settings, or ~/.ssh/config for per-user settings): Host * ForwardX11 yes # add domains as needed Host *.nada.kth.se *.nada.kth.se. *.csc.kth.se *.csc.kth.se. *.pdc.kth.se *.pdc.kth.se. User «username» GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIKeyExchange yes Host *.* GSSAPIAuthentication yes GSSAPIDelegateCredentials no GSSAPIKeyExchange yes Note: the User configuration option is only available in some SSH implementations. These options can also be given on the command-line, but typing ssh -X -K -o GSSAPIGSSAPIKeyExchange yes «username»@u-shell.csc.kth.se takes more effort than just ssh u-shell.csc.kth.se Connecting to MS Windows remotely Currently there is no way for students to use their Windows account remotely, or to remotely access the files stored on their Windows home directory. For employeees There is a server with Remote Desktop Services (formerly Terminal Services), which you can connect to using any RDP (Remote Desktop Protocol) client. The server is terminal.nt.nada.kth.se. RDP clients are available for most operating systems: Ubuntu Use Terminal Server Client (Applications Internet, using the RDP protocol) You can however access the files stored in the home directory of your central KTH.SE Windows login, see IT SupportCenter s website itsc/faq/arbeta-fran-annan-plats. 4

6 For more options, you can also call rdesktop explicitly on the commandline: rdesktop -N -a16 -g 1200x800 -k sv -d NADA.KTH.SE -r disk:local=$home -r sound=local terminal.nt.nada.kth.se Mac OS X Remote Desktop Connection Client for Mac is available (as a free download) from Microsoft s website, and is installed on all CSC Macs. You will find it under Applications. Do not enter your password and the domain in the first dialog that appears. Rather, wait until the remote server s login screen appears, where you can choose the domain NADA.KTH.SE (Kerberos Realm). Windows 7 Remote Desktop Connection is installed by default. 5

7 Setting up Kerberos When you log in on a CSC computer, Kerberos is used to authenticate you (confirm your identity, that you are the user you claim to be). You are given a so-called ticket, which is then used to access a service, e.g. allow you to read the files in your AFS home directory. When you do this locally, on one of the terminal room computers, the authentication is done on the same computer that you then use to access the files (or , or other services). But you can also use Kerberos by authenticating on one computer (e.g. at home), and then forward the tickets to a CSC computer, and allow applications there to read the files. The main advantage of Kerberos over normal password authentication, is that your password is never sent over the network. Only a cryptographic hash is sent, so there is no way for anyone to intercept your password, even if they were to break the network encryption. But it also gives more practical advantages, in that you don t need to re-enter your password to log in to multiple systems. If you have valid Kerberos tickets, you can use an program to read and send mail (usually done through different servers), transfer files between systems, and open multiple command-line session all without once having to type your password. But you are still secure, in the sense that a ticket is only valid for a short period, and does not store your password. A stolen ticket to the mail server can t be used to gain access to your file server, and once the ticket expires, even the mail server will be inaccessible. An example of krb5.conf, the Kerberos configuration file, is shown in figure 2.3 on page 8. For OS-specific information, see below. Mac OS X All Kerberos tools are installed by default, and the default settings will work. You may however want to change the default settings, so that you can use shorter commands, i.e. kinit «username»@nada.kth.se kinit «username» kinit ## default settings ## after configuring ## if your local username matches CSC s There are also graphical applications for ticket management, for example Ticket Viewer in /System/Library/CoreServices/. To change the configuration, edit the file /Library/Preferences/edu. mit.kerberos, as shown in the krb5.conf file referred to above. (You can create the file if it does not exist; it is a plain text file.) Ubuntu / Linux All major Linux distributions have Kerberos packages available. On Ubuntu, you can install the package krb5-clients (MIT Kerberos), or heimdal-clients (Heimdal Kerberos, used at CSC). 6

8 During the installation, you will be asked for your default realm. A realm more or less matches a network domain, but in capital letters. Choose NADA.KTH.SE unless you have reason to do otherwise. You can also change the configuration in /etc/krb5.conf to match the krb5.conf file referred to above. MS Windows While later versions of MS Windows integrates Kerberos, as a part of their Security Support Provider Interface API (SSPI), their implementation is not always compatible with the standard MIT or Heimdal implementations used elsewhere (e.g. at CSC). It is therefore best to install MIT Kerberos for Windows, which can be downloaded from MIT: MIT Kerberos Distribution index.html It contains Network Identity Manager, developed by Secure Endpoints Inc., an application to manage Kerberos tickets. For more information see X11 Forwarding and GSSAPI from Windows 7

9 Figure 1: Example krb5.conf, typically stored as /etc/krb5.conf # Generic krb5.conf for the NADA.KTH.SE realm # $Id: krb5.conf,v /10/08 05:10:18 sedholm Exp $ default_realm = NADA.KTH.SE ticket_lifetime = 12h renew_lifetime = 1w ## Use no-addresses for portable systems that change ## IP address regularly, or systems behind NAT no-addresses = true kdc_timesync = 1 forwardable = true ## for OS X w. AFS and the afslog loginlogout plugin # login_logout_notification = "afslog" [appdefaults] no-addresses = true forwardable = true [realms] NADA.KTH.SE = { kdc = kerberos.nada.kth.se. kdc = kerberos-1.nada.kth.se. kdc = kerberos-2.nada.kth.se. kdc = kerberos-3.nada.kth.se. } STACKEN.KTH.SE = { kdc = kerberos.stacken.kth.se. kdc = kerberos-1.stacken.kth.se. } KTH.SE = { kdc = kerberos.kth.se. kdc = kerberos-1.kth.se. kdc = kerberos-2.kth.se. } [domain_realm].nada.kth.se = NADA.KTH.SE.csc.kth.se = NADA.KTH.SE.pdc.kth.se = NADA.KTH.SE.speech.kth.se = NADA.KTH.SE 8

10 X11 and GSSAPI from Windows In order to use Kerberos-authenticated SSH from Windows, you will need to install MIT Kerberos, and an SSH client that supports Kerberos. Currently, the only version of PuTTY to do so, is the development snapshot available at their download page. Regarding WinSCP, the latest version as of mid October 2010 (4.2.9) http: //winscp.net/eng/docs/history can authenticate using Kerberos, but does not delegate credentials. This means you will be logged in, but only able to read public files, not e.g. files in ~/Private. The unreleased version of Win- SCP is based on the same development snapshot (rev. 9010) of PuTTY s SSH core, which gives some hope of improvements. MIT Kerberos configuration The Kerberos settings are kept in C:\Windows\krb5.ini. Make sure you save the file as plain text. The contents should be the same as krb5.conf above. To obtain Kerberos tickets, start Network Identity Manager. Click on the taskbar icon to bring up the program, then click Obtain New Credentials and enter your CSC username and password. Acquiring Kerberos tickets using Network Identity Manager PuTTY configuration To enable GSSAPI, change the settings under Connection SSH Auth GSSAPI. Enable both Attempt GSSAPI authentication and Allow GSSAPI credential delegation. PuTTY options There is currently no setting for GSSAPIKeyExchange; you will still need to confirm the host s public key fingerprint. 9

11 WinSCP configuration WinSCP supports Kerberos authentication; in fact, it uses PuTTY s SSH library and is well integrated with PuTTY. You can open a PuTTY session by choosing Commands Open in PuTTY. However, there is currently (mid October 2010) no option to delegate your Kerberos credentials. This means that you will be logged on (without being prompted for your password), but you will not be able to read files unless they are in a directory with public access. WinSCP options Xming Xming provides an X server for Windows. If you configure PuTTY to use X11 Forwarding (Connection SSH X11 Enable X11 forwarding), applications started on the remote server will be displayed on your local screen. Note that Xming should not be allowed to open external network connections (unless you want this for other purposes). As far as Xming is concerned, requests to display images or other windows, originates from PuTTY, not from the remote computer. For security reasons, you may even wish to configure Window s firewall to block any external connections to Xming. To do so, configure the firewall to only allow connections from localhost ( ), on both the TCP and UDP protocols. Example: Windows 7 firewall settings You may also need to configure Xming to choose the correct keyboard layout. Normally, the keyboard layout for the X server is chosen from the one used in Windows. Unfortunately, a bug may prevent the Swedish layout from being chosen. Instead, you can change the shortcut used to launch Xming, by modifying the Target (changes in red below) to be called as "C:\Program Files\Xming\Xming.exe" :0 -clipboard -multiwindow -xkbmodel pc105 -xkblayout fi In other words, you choose the Finnish keyboard layout (which is identical to the Swedish) instead. 10

12 Background information on Kerberos Information about Kerberos and how to configure it on a UNIX/Linux host. Introduction to Kerberos Kerberos is an authentication system based on a trusted third party, the Kerberos server, also known as the Key Distribution Center (KDC). It has many nice features, for example: Mutual authentication Users can authenticate servers, and vice versa, by using information from the trusted third party (KDC). There is no need for each party having a list of other parties trusted keys. (Which need to be securely initiated and maintained, as well as updated when keys are stolen.) Single sign on Log in once, and you can use many services. The keys (users passwords and hosts keys) are only known, used and seen by the key owner s local system and the Kerberos server. They are never exposed to any other party. The keys are only used in software for a very short time, they are then destroyed. (Except for the MS Windows implementation, sadly.) Keys can easily be changed if compromised, in one place, which will render a stolen key useless. Only temporary keys are used for data encryption over the network. Cross-realm authentication to other realms (domains). Possibility to authenticate with hardware tokens. Scales very well, an advantage both from the user s perspective and for administration. Kerberos can be used to securely use many different applications and protocols, such as: SSH for terminal access, X tunneling, file transfer and more. File systems such as AFS, NFS, CIFS/SMB and AFP (Apple Filing Protocol). Mail with IMAP and SMTP. Terminal access with telnet, and file transfers with ftp. (Requires Kerberized versions.) Web access over HTTP with SPNEGO.... and several others Tickets Kerberos uses so called tickets (a cryptographically signed encryption key) to authenticate users and services ( principals ) to each other. The tickets are issued by the KDC. Each service accessed uses its own ticket. The tickets contain information about the requesting principal, typically a username and realm (domain), and other useful data such as a temporary session encryption key. A ticket has a limited lifetime and optionally a limited time during which they can be renewed. A special case is the ticket that you get when you initially authenticate to the Kerberos KDC: the Ticket Granting Ticket (tgt, krbtgt). The Ticket Granting Ticket is the ticket you use for authenticating to the KDC service when requesting more tickets for other services. 11

13 Ticket forwarding (credential delegation) When you connect to another service you may in some cases also want to forward your tickets to that service. This is typically useful when you connect to another host and want to access other Kerberized services from that host. For example, when you connect to a host where you need Kerberos tickets to access your files under AFS or another Kerberized file system, as is the case at CSC. You should not forward your tickets to systems you do not trust, since the tickets could be used to authenticate as you, should they be stolen. (Though only for the lifetime of the tickets.) To a less trusted system, you may still authenticate with Kerberos you will not expose anything it doesn t already possess, as long as you don t use ticket forwarding. More information about Kerberos There are several implementations of Kerberos, the two most common being MIT Kerberos and Heimdal. These are very similar and almost interchangeable. Some OS:es come with Kerberos enabled software as standard, many others let you choose one of the above. The current version of Kerberos is version 5. The outdated version 4 should not be used anymore. GSSAPI is an API (Application Programming Interface) used for programming with Kerberos V5. GSSAPI has more or less become synonymous with Kerberos V5. There is plenty of information on Kerberos on the internet, for example Wikipedia on Kerberos (protocol) Installing Kerberos Many OSes nowadays come with Kerberos enabled software as standard: Solaris/OpenSolaris, Mac OS X, AIX and FreeBSD all do, just to name a few. Many Linux distributions do not have Kerberos software installed by default, but there are packages available in all major distributions. For example, on Ubuntu you can just install the package krb5-clients (MIT Kerberos) or heimdal-clients (Heimdal Kerberos, used at CSC). Configuring Kerberos Kerberos (V5) usually does not need to be configured since most information can be looked up from DNS, the Domain Name System. Still, if you do configure it, you may be able to use shorter commands, some things may work more smoothly, and it may be a little faster over very slow links since fewer lookups need to be sent over the network. You typically just need to add a single configuration file. The configuration file is in plain text, and use the same basic format on all systems. An example configuration file for use with CSC s systems in the NADA.KTH.SE realm is given on page 8. Most UNIX and Linux-distributions For most UNIX and Linux-distributions you just need to add (or replace) the configuration file, which typically is called either /etc/krb5.conf or /etc/ krb5/krb5.conf. Use man krb5.conf to find the correct location and learn more about the available options. 12

14 Mac OS X On Mac OS X you may install the configuration as /etc/krb5.conf as above, but the recommended place and name for the global configuration is /Library/Preferences/edu.mit.Kerberos. In addition, a user may have a configuration file of their own, the contents of which is preferred over the information in the global one. This personal configuration file is kept under ~/Library/Preferences/edu.mit. Kerberos. The file format is the same for all of these. UNIX/Linux, including Mac OS X Using Kerberos There are several graphical programs to acquire tickets and to help you in configuring Kerberos. The generic command-line versions are shown here, since they work the same on all systems, and are easier to describe. The first step is to get a Kerberos Ticket Granting Ticket, a krbtgt. kinit username@nada.kth.se If you have NADA.KTH.SE as default realm in your Kerberos configuration you may leave out the realm part: kinit username If you have the same username at CSC (Nada) as your local account: kinit When you have your Ticket Granting Ticket, you can start using Kerberized programs and services. Additional tickets for other services will be retrieved automatically when needed. You can list your tickets with klist. The output will be something like Credentials cache: FILE:/tmp/krb5cc_12345 Principal: alice@nada.kth.se Issued Expires Principal Oct 6 13:41:15 Oct 7 16:47:09 krbtgt/nada.kth.se@nada.kth.se Oct 6 13:51:14 Oct 7 16:47:09 afs@nada.kth.se Oct 6 13:58:18 Oct 7 16:47:09 host/mail1.nada.kth.se@nada.kth.se Oct 6 13:58:18 Oct 7 16:47:09 imap/mail1.nada.kth.se@nada.kth.se Oct 6 16:00:13 Oct 7 16:47:09 host/u3.csc.kth.se@nada.kth.se In this example, the user alice has a ticket granting ticket a ticket for the AFS file system tickets for connecting to the host mail1, and for the IMAP (mail) service there a ticket for connecting to the host u3.csc.kth.se 13