Kerberos Active Directory for HP Thin Clients

Transcription

1 Kerberos Active Directory for HP Thin Clients Anusha T 1, Priya D 2, Prashant Ramdas Naik 3 1 Dept of ISE, R V College of Engineering, Karnataka, India 2 Assistant Professor, Dept of ISE, R V College of Engineering, Karnataka, India 3 Principle Software Designer, Hewlett Packard, India Software Operation Pvt Ltd, Mahadevpura Bangalore, Karnataka, India Abstract-- A specialized field in computer networking involves securing computer network infrastructure. In today s computing, organizations including universities and small to medium-sized businesses have to credit a wide range of services to its users. Many of these services require a form of authentication and/or authorization to securely verify the identities of users. Thin clients are used in academic institutions, in financial sectors, for training students, for research purpose and many other areas of science. When every user logs into his/her machine, it is essential to keep the identity of the user safe and secure. Kerberos Active Directory (KAD) is a protocol for client, server and a third party user, to perform security verifications for users and services. Kerberos Active Directory security protocol is used to authenticate Thin Client users. It explains 3 mechanism of re-setting the passwords. KAD has Key Distribution Centre (KDC) controlling the flow of tickets between clients, servers and third party services. Session tickets, service tickets and the file server tickets are verified to grant access to a client and grant service from a file server. Keyword-- Kerberos Active Directory (KAD), Key Distribution Centre (KDC), Ticket Granting Ticket (TGT), Authentication, Citrix Xen Server, Thin Clients, HPNabrowse, Fully Qualified Domain Name(FQDN, SingleSign On (SSO). I. INTRODUCTION KAD is a security protocol which makes use secret key cryptography algorithm. It works on the basis of tickets to allow nodes communicating over a non-secure network to prove their identity to each other. In 1983, MIT developed Kerberos Active Directory Protocol to protect the network services provided by Project Athena. The algorithm provides mutual authentication between client and server over a non secure network for communication. Symmetric algorithm like AES, DES and 3 DES algorithms for encryption and decryption are used. The symmetric algorithm uses the same key for encryption and decryption purpose. A. HpnaBrowse Thin Client Hpnabrowse is a command tool to access citrix PNAgent services. An additional feature of HPnabrowse is providing access gateways. This agent does the functionality of enumeration of resources, resetting the users password, launch connection to the published resources, disconnect and reconnect to applications to the web interface and other options. B. Citrix Xen Server VMWare, Xen or Hyper V are the different types of servers. Citrix Xen Server is a free virtualization platform which is based on Xen hypervisor which is open source and has a Xen Center. Xen Center has multi-server management console with core management features. Features such as multi-server management, virtual machine (VM) templates, snapshots, shared storage support, resource pools and Xen Motion live migration as per paper [1]. In addition, Citrix offers advanced management capabilities in Citrix Essentials for Xen Server product line. Citrix Essentials for Xen Server is available in number of editions, like wise they are Enterprise and Platinum. C. Xen App and Xen Desktop Xen App and Xen Desktop are the resources residing on the server farm. Xen App typically is for provisioning of Applications like Notepad, Wordpad or Spreadsheets on a per user basis. Xen Desktop is typically used for provisioning customized Desktops to users. The applications and desktops provisioned by XenAp and XenDesktop are provisioned from the Virtual Machines hosted in the server farm. These resources on the server are accessed through Thin Client software or hardwares. D. Kerberos Active Directory The primary design goal of Kerberos is to eliminate the transmission of unencrypted passwords across the network. When used properly, Kerberos eliminates the threat packet sniffers effectively. 385

2 Another reason for using Kerberos is because of its open source feature. Compared with Microsoft active directory, Kerberos is more reliable in terms of cost and security. And it meets the company s requirement accurately. In linux platform, several api s are available, that helps in easier integration and development. As per paper [2],Kerberos client (can be either a user or a service) requests for ticket to KDC. The KDC generates ticket-granting ticket (TGT) for the client and encrypts the ticket using the KDC key, and transmits the encrypted TGT to the client. The client uses the same TGT to obtain other service tickets, which provide the proof of the client's identity. Users can enable with preauthentication. When pre-authentication is enabled, a user must sign on to the KDC by providing knowledge of secret information. Once the identity requesting user for a ticket is confirmed, the KDC returns a set of initial credentials for the user, consisting of a ticket granting ticket (TGT) and a session key. When a principal (user) needs to access the service located on a file/service system, the KDC issues a service ticket for the specific service. A service ticket can be associated with one or more Kerberos-secured services on the same system. The service ticket is usually used by a client application on behalf of the user, to authenticate the user to the Kerberos-secured network service. The Kerberized client application handles the transactions with the KDC. Service tickets and associated session keys are cached in the user s credentials cache file along with the user s TGT. The Kerberos stands for Authentication- The confirmation that a user who is requesting services is a valid user of the network services requested. Authorization The granting of specific types of service to a user, based on their authentication, what services they are requesting, and the current system state. Accounting: the tracking of the consumption of network resource by users. The Table.1 below, shows the attributes of tickets and their description. Table 1 Attributes of tickets Number Attribute of Ticket Description 1. tkt-vno Version number of the ticket format. In Kerberos v.5 it is Realm Name of the realm (domain) that issued the ticket. A KDC can issue tickets only for servers in its own realm, so this is also the name of the server s realm 3. Sname Name of the server. 4. Flags Ticket options 5. Key Session key. 6. Crealm Name of the client s realm (domain). 7. Cname Client s name. 8. Transited Lists Kerberos realms taking part in authenticating the client 9. Authtime Time of initial authentication by the client. The KDC places a timestamp in this field when it issues a TGT. When it issues tickets based on a TGT, the KDC copies the authtime of the TGT to the authtime of the ticket 10. Starttime Time after which the ticket is valid. 11. Endtime Ticket s expiration time renew-till (Opt) Maximum endtime to be set in

3 ticket with a RENEWABLE flag 13. Caddr (Opt) One or more addresses from which the ticket can be used. If omitted, the ticket can be used from any address. 14. Authorization (Opt) Privilege Data attributes for the client. Kerberos does not interpret the contents of this field. Interpretation is left up to the server 15. FORWARDABLE (TGT only) Tells the ticket-granting service that it can issue a new TGT with a different network address based on the presented TGT. 16. FORWARDED Indicates either that a TGT has been forwarded or that a ticket was issued from a forwarded TGT 17. PROXIABLE (TGT only) Tells the ticket-granting service that it can issue tickets with a different network address than the one in the TGT. 18. PROXY Indicates that the network address in the ticket is different from the one in the TGT used to obtain the ticket. 19. RENEWABLE Used in combination with the end time and renew-till fields to cause tickets with long life spans to be renewed at the renewable periodically 20. INITIAL (TGT only) Indicates that this is a TGT. 387 II. LITERATURE SURVEY As per paper [3], it talks about Fabasoft Folio Web Management using KAD, where the administrator of the web management must have valid Kerberos ticket. The web management runs on Microsoft Windows and Linux system. For the Linux system, the Kerberos ticket is provided automatically if LDAP and KDC environment is available. As per paper [4],KAD is incorporated by Hewlett Packard Technologies, where HP has following technologies that are tested with HP-UX Secure Shell: Kerberos 5/GSS-API, IPv6, Trusted Systems, TCP Wrappers, PAM (PAM_UNIX, PAM_Kerberos, and PAM_LDAP).. HP-UX provides built-in support in a secure environment for Secure Kerberized Internet services such as ftp, rcp, rlogin, telnet, and remsh Use of Kerberos in the CIFS environment provides significant security improvements over the older NT LanManager (NTLM) protocol traditionally used by CIFS Clients and Servers. As per paper [5], likewise, a corporate company uses KAD, allowing Linux and UNIX computers to authenticate users with Microsoft Active Directory (AD). Since Microsoft Windows 2000, AD's primary authentication protocol has been Kerberos. As per paper [6], Kerberos provides a good infrastructure for enterprise SSO. The preponderance of Microsoft Active Directory, a Kerberos-aware authentication product, means that SSO is broadly available. But unfortunately, configuring Linux and UNIX computers to properly authenticate users via Kerberos is difficult and error-prone. But likewise allows Linux and UNIX computers to authenticate users with Microsoft Active Directory. It also configures the Kerberos infrastructure in Linux and UNIX computers to communicate properly with AD. This simplifies the work that has to be done to enable Kerberized applications to support SSO. Likewise automatically configures system login to authenticate with AD and to support SSO when using SSH. As per paper [7], Enterprise Identity Mapping (EIM) is a lookup table where each user s identities in user registries are mapped to one identifier. Thus EIM enabled applications can use registry and allow user to process without further challenge. The Kerberos authentication of users using SSO does not solve the problem of multiple user registers for all class of users. It still requires synchronising, all user ids, which is not always possible or secure. Hence IBM has come up with Windows based SSO and the EIM framework for IBM Iseries server.

4 As per paper [8], to facilitate more effective use of the Kerberos ticket cache, a new format for referral data is proposed. This method includes a list of alias names as part of the returned referral information. The pseudo code for the algorithm allows a MIT Kerberos client to request and follow referrals from a Windows 2000 Kerberos KDC. It removes the need for management and administration of DNS to realm mapping files on Kerberos client hosts. When both name canonicalization and referral resolution problems are considered, Windows 2000 approach has advantage over security and ease of administration. The MIT Kerberos client s better ticket cache utilization when alias name is used, along with realm hierarchy, can be used to reduce the number of exchanges with KDC. As per paper [9], IBM makes use of multi factor authentication over Kerberos protocol. It combines One- Time password and the Kerberos to achieve two factor authentications. As per paper [10], HP provides common card login to Department of Defence personals (DOD) and other contractors. It is used as general access card for authentication to enable access to networks and computers. Users are able to authenticate at the MFP by inserting their CAC(Common Access Card) into an attached card reader and entering a PIN, followed by certificate validation, Kerberos authentication to the network, and Active Directory data retrieval. After their card is accepted, the user can send digitally signed or scan documents to folders. As per paper [11], Public key Kerberos (PKINIT) is a standardized authentication and key establishment protocol, used by the Windows active directory subsystem. The cardbased public key Kerberos is flawed. Even after card is revoked, access to a user's card enables an adversary to impersonate user. As a solution, the migration of the user's private key from his computer to a smart card can have severe implications to the security of the overall system. The fix requires the KDC to initially send a nonce ns to the terminal. This nonce is then added to the data signed by the smart card and included in AS_REQ_ On reception of the AS_REQ_ message, the KDC must also ensure that the number ns in the message matches the number it generated. Note that this fix requires a message from the KDC to the terminal carrying the nonce, and a change to the AS_REQ_ message to accommodate the additional nonce. As per paper [12], the first problem with LDAP is the fact that it is an active directory. It means that it (LDAP server) is being inundated with new queries. But an authentication service should never have more traffic. Since LDAP services provide more than just authentication, LDAP is a poor candidate as an authenticator. Kerberos incorporates the use of cryptography in order to ensure the confidentiality of authentication credentials. It is used in conjunction with a LDAP server that only allows access from connections where an authentication ticket has been granted. As per paper [13], for Securing the storage systems UNIX-based Kerberos version 5 servers for NFS storage authenticationusing NFS version 3 and 4isused. NFS versio n 4 is NFS Implementation and it mandates Kerberos authentication to be a part of NFS client and server specification. Integration of their storage systems with Kerberos version 5 will lead in achieving strong NFS storage authentication. As per paper [14] Kerberos provides assurance that the authenticated. Principal is an active participant in an exchange. A by-product of the Kerberos authentication protocol is the exchange of session key between client and server. The session key is subsequently used by the application to protect the integrity and privacy of communications. Kerberos system defines safe message and private message to encapsulate data for protection, but the application is free to use any method better suited for particular data that is transmitted. As per paper[15], Kerberos Encryption Technique for authentication and transaction security is used in the network. And also an Authentication Server that used to derive a 64 bit key from user s password is created. Password is of arbitrary length. The generated key is then used by authentication server, to encrypt ticket granting the transaction server for validating an authentic transaction. III. A.Server configurations PROPOSED METHODOLOGY All servers and clients that participate in a Kerberos realm must be able to communicate with each other and have accurate system clocks. Each server in a Kerberos authentication realm must be assigned a FQDN that is forward-resolvable. Kerberos must also have the server's FQDN to be reverse-resolvable. 388

5 If reverse domain name resolution is not available, set the rdns variable to false in clients' krb5.conf. Kerberos must be set up to pass through all the firewalls between the hosts. The realm name must be configured appropriately as per [16]. The kadmin utility is an interface used to create delete update the principals. The principals can be of 2 types. They are user and service. For starting kadmin utility $kadmin p admin/admin For addition of an use kadmin: addprinc user B.Client configurations Fig 1 System Architecture The client settings need krb5-user, krb5-config and libkadm55 packages. These packages are downloaded from the main repository. The krb5-config installation customizes the configuration file. In order to test the operation of Kerberos, Ticket Granting ticket is requested using the kinit command. The realm name is case sensitive. The administrator is the substitute for valid Kerberos Principal. Once the user is registered, using klist command, the ticket details is viewed. The ticket expiration date, time, principal name, and the time when the ticket can be renewed is mentioned in the klist details. Kdestroy command automatically destroys the issued ticket to the principal and the ticket has to be obtained again. Once a user has obtained a TGT using kinit, they can use it to prove their identity to a network service such as file sharing or printing. This authentication process is automatic: no password is required to access network services as long as the user's TGT is valid (for security purposes, tickets expire after a period of time, and must be renewed). Services use files called keytabs that contain a secret known only to the service and the KDC. The user authenticates themselves to the KDC and then requests information from the KDC that is encrypted using the service's shared secret. This encrypted message is sent to the client, which sends it to the service. If the service can decrypt and read the message (and the user passes other security checks), the service accepts the user's identity. The security of a keytab is vital. Malicious users with access to keytabs can impersonate network services. To avoid this, secure the keytab's file permissions with chmod, as per [13]. Testing the working of Kerberos and obtain the ticket from realm. Kinit p [email protected] Password for [email protected]: *** C.System Behaviour The figure1 shows the architecture of the system. The four components KDC, hpnabrowse, PNAAgent, resource farm interacts with each other for resetting of password and granting password. The user interacts with the system with the help of a User Interface. Step 1: Obtain user credentials, domain name and server url. Step2: Save the input parameters in an unintelligent format for future usage. Step 3 : Fetch the password configuration setting values. Step 4: If value = direct_method, parse the url and make request to the active directory for change of password. Reset the values for tickets and post the request. Step 5: If value = proxy_method, parse the url and make request to PNagent for change of password. Step 6: If value = direct_with_fall_back, parse the url and make request for direct method. If the password is not updated, make request through PNagent path. Step 7: If password is valid in either of the case from step 4, 5, 6, allow access for the user. Step 8: If password does not meet the Kerberos password requirement, deny the access for user. 389

6 Figure 2 shows the data flow diagram. The diagram explains the flow of data at every stage. In the initials stage the data are username, password, domain name, url. Users passwords are encrypted in an unintelligent format and the requests and responses from every node are handled in the form of xml. The figure 4 shows the new password does not meet Kerberos requirement. A pop up message shows the result of executed command. Fig 2 Data Flow Diagram for all three components. IV. SCREEN SHOTS Fig 4 Password expired case(2) The figure 5 indicates the success message popping out when the user has changed his password. And in order to login to the machine he/she must use new set of credentials Fig 3 User Interface for the user. Figure 3 is the User Interface for the user to enter his/her credentials. The dialog box has Name of the connection, Server URL, username, password, Domain name and other options for the user to launch the applications. 390 Fig 5 Dialog box for success message case (1)

7 The figure 6 shows where the password has to be reset. It says that the user password is invalid and he must set his passwords again for logging in. Fig 6 Updation Failed case (3) V. CONCLUSION Kerberos Active Directory guards the user s credentials. The system has 3 mechanism of resetting the user s password. The first mechanism Direct Method as the name suggests, the hpnabrowse agent communicates directly with the active directory and authenticates the users, which is a direct method. The second mechanism Proxy Method, hpnabrowse communicates with the PNAagent and the PNAagent communicates with Kerberos Active Directory. The Third mechanism Direct with Fall Back, if in case the Direct method fails, Proxy Method will take over the responsibility of resetting the password. The time duration for each of the connection gives an important observation. Direct Method for resetting of password is 0.04 seconds. Proxy method for resetting of Password is 0.01 seconds. Direct with Fall back approach gives the time duration of 0.06 seconds for resetting of passwords. Thus, it is feasible to use proxy method while resetting user s password 391 Acknowledgement Foremost, I would like to express my sincere gratitude to my college guide and advisor Assistant Professor Priya. D and Hewlett Packard office mentor Mr. Prashant Ramdas Naik, for their motivation, enthusiasm, patience and immense knowledge. Their guidance has helped me in all time for completion of project and writing of this thesis. My sincere thanks to Mr B.S Satyanarayana, Principal at RVCE, Bangalore and Mr Karthick Tharakraj, R&D Engineering Manager at Hewlett Packard Bangalore, for giving me the opportunity to perform my MTech project at HP. And also grateful to my parents, for supporting me throughout my life. REFERENCES [1] Xen Server-Addressing the challenges of application and desktop virtualization, White Paper- Citrix, [2] Jose. L. Marquez, Kerberos Secure Athentication, SANS Institute InfoSec Reading Room, White Paper, [3] Fabasoft on Linux Fabasoft Folio Web Management, White Paper, 2013 [4] Kerberos, Hewlett-Packard Development Company, White Paper, 2005 [5] Manny Vellon, Likewise Security Benefits, Likewise Software, White Paper, 2007 [6] Single Sign-On for kerberized Linux and Unix Applications, Likewise Enterprises, White Paper, 2007 [7] Windows-based Single Signon and the EIM Framework on the IBM@server iseries Server, RedBooks, White Paper, [8] Jonathan Trostle and Michael M. Swift, Implementation of Crossrealm Referral Handling in the MIT Kerberos Client, White paper, [9] Sandeep Ramesh Patil, Implement two factor authentications for AIX using Kerberos, White Paper, 4th Nov [10] Hewlett Packard, HP MFP Smart Card Authentication Solution, White Paper, [11] Nikos Mavrogiannopoulos, Andreas Pashalidis and Bart Praneel, Security implications in Kerberos by the introduction of smart cards, ASIA CCS 12, May 2-4,2012, Seoul, Korea. [12] Charlie Obimbo and Benjamin Ferriman, Vulnerabilities of LDAP as an Authentication Service, Journal of Information Security. 2011, 2, [13] Latesh Kumar K.J, Securing Storage Appliances via Unix based Kerberos Authentication, International Journal of Computer Applications( )volume 65- No 1,March [14] B. Clifford Neuman and Theodore Ts'o, Kerberos: An Authentication Service for Computer Network s, IEEE Communications 32 (1994), no. 9, [15]Garima Verma, Prof R.P Arora, Implementation of highly efficient Authentication and transaction Security,International Journal of Computer Applications( )volume 21- No 3, May 2011 [15] Kerberos community help wiki,(n. d), Retrieved from