1 How to build an Identity Management System on Linux Simo Sorce Principal Software Engineer Red Hat, Inc.
2 What is an Identity Management System and why should I care? In a nutshell: an IdM system is a set of services and rules to manage the users of an organization. It includes information about individuals, computers, groups, roles, authentication and authorization rules that apply to the set of users and devices managed by the system. If you need to manage more than a handful of machines you do not want to manually configure all these functions on each one, instead you use an IdM system generally hosted on a centralized server.
3 Identities When you encounter the word Identity usually you think about a person, or a user. But computers and even single programs often need their own identity in order to be authorized to perform operations over a network. Identities are also often managed in groups to apply authorization decisions to multiple similar objects in a simpler/consistent way.
4 What do we need to manage At the core: Users' life-cycle Creation, deletion, and other status changes Relations (groups, roles) Policies (passwords, privileges) Computers' life-cycle Enrollment, retirement Creation/Revocation of Keys (Kerberos, SSH, X509,...) Policies (Access control, authorization rules) Additionally Other security related aspects of networking
5 Centralize or distribute? Striking the right balance is not an easy task Being able to flexibly shift balance between centralization and distribution based on the situation is nice, but also harder to implement in practice. This is a problem on multiple levels Networking How to spread services to avoid single points of failure? Distribute heavily? Security How do we reduce attack surface? Centralize heavily? Administration How can we allow delegation of tasks securely?
6 Pros and Cons of Centralization Centralization is good because... Management is easier Reporting is easier Enforcement is easier Development is easier... on the other hand, distributing makes it... More resilient to failure Scales better
7 Responsibilities of an IdM server... Authentication for users and services Passwords, SSO? 2FA? Certificates, Keys Authorization rules for all services Access rules per host Users roles and admin delegation Network related administration? DNS, DHCP,... Auditing and reporting
8 ... and of the clients Retrieving Information Users, Groups, netgroups, host groups, roles Certificates, keytabs Automount maps, other configuration Authentication Passwords, tickets Authorization Misc HBAC, sudo rules, SSH keys, SELinux users DNS discovery, DNS Updates, time synchronization
9 There is a lot to manage Management tools are as important as the underlying technologies used If it can't be managed effectively, it can't be used Sadly management is very often overlooked in Free Software Security and Complexity are enemies Complex interfaces need to be simplified to make them understandable to users Diagnostic tools are also important Complex systems tend to break more easily Keep it simple if you can If you can't, make it manageable at least
10 So, how hard can it be? We just need to install an LDAP server and a Kerberos KDC right? Have you ever tried? :-) Some numbers from the FreeIPA project Installer: 4(NTP) + 35(DS) + 20(PKI) + 12(KDC) + 16(HTTPD) + 9(DNS) = 96 unique steps This includes no replica, no clients, and only default rules Time taken: approx. 5 minutes Code: ~150k lines on top of existing projects
11 Basic Idm exploded (FreeIPA) Server HTTPD CA LDAP KDC Kadmin Client Admin NTPD DNS SSSD
12 Why LDAP and Kerberos? Why not a Custom (SQL?) Database? Integration, custom database = custom clients Multi-master and read-only Replication Fine grained Access Control Interoperability, Standard Why LDAP is not enough? Why Kerberos? Security: Passwords vs tickets vs certificates Convenience: Single Sign On Performance: Scalability, Availability Security, Standard
13 Why PKI, DNS integration? Some protocols can be secured only via SSL HTTP, IMAP, SMTP,..., VPN,... Central Authority for X509 certificates is a good idea DNS is crucial to identify machines Service principals use DNS names X509 Certificates use DNS names SSH identify targets via DNS names IPv6 is coming, very long addresses But DNS is Insecure! DNSSEC (GSS-)TSIG DNS updates
14 Other services... NTP Time is critical for almost everything More... Infamous krb5 clock-skew Certificate validity Log correlation DHCP Radius Telephony...
15 Management Interface A complete Management Interface is a fundamental component of an Idm system Adding Network APIs makes life easier for 3 rd parties. Although CLI tools are often sufficient for small integration tasks. Although not mandatory, a graphical interface, such as a Web UI, will make the system usable by a much larger number of people. Helpdesk, Managers,...
16 FreeIPA management UI
17 On the client A system is as secure as the weakest link The client capabilities define what can be done So... Classic Linux client nss_ldap & co generally use no authentication Key management is manual, prone to errors Laptops are hard to integrate, poor offline support Access control and sudo rules difficult to manage
18 An improved client SSSD was spun off the FreeIPA project Single authenticated server connection Caching of identity and other information Offline authentication HBAC, sudo rules, selinux users, SSH keys Server affinity and DNS updates Additional features Certificate renewal (certmonger) Privilege separation (gss-proxy)
19 Building an Idm system is hard It is more of a process than a product Installing the bits is just the first step An IdM system must make things easier to manage A management interface is fundamental, even just CLI Homegrown may be sufficient, but it is a very big effort Reuse as many components as you can Choose wisely, changing components later is harder Look around you, others have already done this. See what they've done and ask yourself why and if the same reasoning applies to your case
20 Beyond Linux FreeIPA has recently added support for creating trust relationships with Active Directory LDAP KDC MS-RPC Samba RPC KDC DS DNS KDC KDC DNS KDC AD Server IPA Server Krb Credentials Client (Windows/Linux) Server SSSD
21 Questions? Thanks to: Simo Sorce
22 Bonus slide Acronyms & terminology Additional links SSO: single Sign On 2FA: Two-Factor Authentication HBAC: Host Based Access Control KDC: Key Distribution Center Principal: Name of Identities in the Kerberos world X509: Encoding standard for SSL certificates CA: Certificate Authority, Signs certificates in a PKI system SSSD: Gss-Proxy: Certmonger: https://fedorahosted.org/certmonger/ Bind-dyndb-ldap: https://fedorahosted.org/bind-dyndbldap/ 389 DS: Dogtag: MIT Kerberos: PKI: Public Key Infrastructure
Best Practices for Integrating Kerberos into Your Application This paper describes best practices for application developers who wish to add support for the Kerberos Network Authentication System to their
Best Practices for Deploying and Managing Linux with Red Hat Network Abstract This technical whitepaper provides a best practices overview for companies deploying and managing their open source environment
With hundreds of Help Desk software packages available, how do you choose the best one for your company? When conducting an Internet search, how do you wade through the overwhelming results? The answer
AWS Security Best Practices Dob Todorov Yinal Ozkan November 2013 (Please consult http://aws.amazon.com/security for the latest version of this paper) Page 1 of 56 Table of Contents Abstract... 4 Overview...
WHITE PAPER SAFE: A Security Blueprint for Enterprise Networks Authors Sean Convery (CCIE #4232) and Bernie Trudel (CCIE #1884) are the authors of this White Paper. Sean is the lead architect for the reference
This video will look the different versions of Active Directory Federation Services. This includes which features are available in each one and which operating system you need in order to use these features.
Fundamental Principles of Network Security By Christopher Leidigh White Paper #101 Executive Summary Security incidents are rising at an alarming rate every year. As the complexity of the threats increases,
Windows Firewall with Advanced Security Design Guide and Deployment Guide Microsoft Corporation Published: October 2008 Author: Dave Bishop Editor: Allyson Adley Reviewers: Bilal Aijazi, Boyd Benson, Shalaka
Getting Started with Zeus Web Server 4.3 Zeus Technology Limited - COPYRIGHT NOTICE Zeus Technology Limited 2004. Copyright in this documentation belongs to Zeus Technology Limited. All rights are reserved.
Best Practices Guide McAfee epolicy Orchestrator for use with epolicy Orchestrator versions 4.5.0 and 4.0.0 COPYRIGHT Copyright 2011 McAfee, Inc. All Rights Reserved. No part of this publication may be
BEST PRACTICES FOR SCSP POCS Best Practices for Critical System Protection Proof of Concepts Version 1.0 1 1. UNDERSTANDING SERVER RISK... 4 1.1. HOW TO PROTECT YOURSELF: DEVELOPING SERVER HARDENING CONFIGURATIONS...
Best Practices Series Microsoft Exchange Server 2010 in the Cloud White Paper A Step-by-Step Guide to Planning and Architecting Your Migration Introduction Microsoft Exchange Server 2010 offers a number
The Critical Security Controls for Effective Cyber Defense Version 5.0 1 Introduction... 3 CSC 1: Inventory of Authorized and Unauthorized Devices... 8 CSC 2: Inventory of Authorized and Unauthorized Software...
Unified Security Monitoring Best Practices June 8, 2011 (Revision 1) Copyright 2011. Tenable Network Security, Inc. All rights reserved. Tenable Network Security and Nessus are registered trademarks of
Deployment Guide Guide to Deploying Microsoft Exchange 2013 with Citrix NetScaler Extensive guide covering details of NetScaler ADC deployment with Microsoft Exchange 2013. Table of Contents Introduction
Load Balancing Exchange 2007 Client Access Servers using Windows Network Load- Balancing Technology In this article I will show you how you can load-balance Exchange 2007 Client Access Servers (CAS) using
BEST PRACTICES: EVENT LOG MANAGEMENT FOR SECURITY AND COMPLIANCE INITIATIVES IN THE EUROPEAN UNION By Ipswitch, Inc. Network Managment Division www.whatsupgold.com July 2010 Table of Contents Executive
Trend Micro Incorporated reserves the right to make changes to this document and to the products described herein without notice. Before installing and using the software, please review the readme files,
Understanding and Selecting a Tokenization Solution Understanding and Selecting a Tokenization Solution 1 Author s Note The content in this report was developed independently of any sponsors. It is based
Configuration Guide BES12 Version 12.1 Published: 2015-04-22 SWD-20150422113638568 Contents Introduction... 7 About this guide...7 What is BES12?...7 Key features of BES12... 8 Product documentation...
JAMF Software Server Installation and Configuration Guide for OS X Version 9.0 JAMF Software, LLC 2013 JAMF Software, LLC. All rights reserved. JAMF Software has made all efforts to ensure that this guide
CENTRIFY WHITE PAPER, FEBUARY 2012 Improving Mobile Device Security and Management with Active Directory An overview of mobile device market trends, challenges and approaches to securing and managing smart
PassTest Bessere Qualität, bessere Dienstleistungen! Q&A Exam : 70-640 Title : Windows Server 2008 Active Directory. Configuring Version : Demo 1 / 28 1.You have a single Active Directory domain. All domain