[TUHS] YP / NIS / NIS+ / LDAP
grawity at gmail.com
Wed Nov 7 05:58:04 AEST 2018
On Tue, Nov 6, 2018 at 9:18 PM Grant Taylor via TUHS <tuhs at minnie.tuhs.org>
> On 11/06/2018 12:07 AM, Mantas Mikulėnas wrote:
> > These days the modification generally consists of pam_krb5 added to the
> > system's PAM configuration.
> Hum.... I need to do some reading on that.
> > And similarly – in other protocols (IMAP, SMTP, IRC, the same LDAP) one
> > can authenticate a session via SASL, which usually wraps GSSAPI, which
> > usually wraps Kerberos.
> Complicating things is that implementations can choose to bypass SASL
> and do the GSSAPI interaction directly. Or take things even further and
> do the Kerberos interaction directly.
Though from what I've seen on their mailing list, MIT Kerberos developers
seem to recommend using GSSAPI at minimum, rather than the raw Kerberos
> Yet another reason why all these things are complicated. So many
> choices that impact other choices in the same problem domain.
> > You're right, it's primarily an authentication protocol.
> > But due to the way it works, it *also* negotiates a 'session key'
> > the user and the service, which then may be used for transport
> > (sealing).
> Does that mean that the protocols would need to retain the session key
> and use it for their other non-Kerberos specific protocols? I.e. the
> rsh daemon would need to use the session key to encrypt / decrypt the
> rsh data, after and independent of the Kerberos authentication process.
Well, they can use it, but they don't have to. It's up to the developer in
the end. The earlier kerberized protocols did, because they didn't have any
other encryption layer. Most recent protocols establish encryption in any
case (be it TLS or SSHv2 or something else) so they just don't bother
calling the SASL (or GSSAPI) seal functions.
> > It's not commonly used as far as I know – most new protocols already
> > have their own security layers such as TLS or SSH.
> I worry that other encryption protocols / methods have far surpassed
> Kerberos' encryption capability / strength.
Kerberos does include modern enctypes (such as aes128/aes256), but from
what *little* I understand about this part, it's still not as good as the
modern protocols. (E.g. complete lack of PFS – the same client or server
always uses the same master key until it's manually rotated...)
On the bright side, the *authentication* of Kerberos is solid as far as
I've heard. (Which, again I know very little about this part, but I do
remember someone saying that it has an actual security proof, as well as
being decently quantum-resistant.)
> > Actually LDAP is the only still-widespread protocol that comes to mind
> > whose implementations frequently make use of Kerberos-based encryption
> > (via GSSAPI).
> This sounds like it would be independent of LDAP over SSL (TCP 636).
> Would this Kerberos specified encryption be run over the standard LDAP
> port (TCP 389)?
(There is no technical reason why it couldn't run inside TLS, it's just
redundant – OpenLDAP doesn't mind but e.g. Active Directory explicitly
refuses to use both encryption layers at once. If you use TLS, you can
still use GSSAPI auth, but it insists that you turn off the GSSAPI
> > This is especially common in Active Directory environments, where the
> > DCs might not have a valid TLS certificate.
> I'm going to have to go pick my AD guru's brain after reading that.
> > (I seem to recall kerberized Telnet didn't survive because it was
> > limited to DES/3DES for an odd reason. Didn't quite understand why that
> > was the case, though.)
(This reminds me that I've noticed at least one of the MIT Kerberos
developers here in TUHS, who would surely know more about this than I've
gathered through barely few years of messing around.)
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the TUHS