Next: , Previous: Configuring DNS for KDC, Up: Administration Manual


3.6 Kerberos via TLS

If Shishi is built with support for GNUTLS, the messages exchanged between clients and Shishid can be protected with TLS. TLS is only available over TCP connections. A full discussion of the features TLS have is out of scope here, but in short it means the communication is integrity and privacy protected, and that users can use OpenPGP, X.509 or SRP (i.e., any mechanism supported by TLS) to authenticate themselves to the Kerberos server. For details on the implementation, See STARTTLS protected KDC exchanges.

3.6.1 Setting up TLS resume

Resuming earlier TLS session is supported and enabled by default. This improves the speed of the TLS handshake, because results from earlier negotiations can be re-used. Currently the TLS resume database is stored in memory (in constract to storing it on disk), in both the client and in the server. Because the server typically runs for a long time, this is not a problem for that side. The client is typically not a long-running process though; the client usually is invoked as part of applications like ‘telnet’ or ‘login’. However, because each use of the client library typically result in a ticket, which is stored on disk and re-used by later processes, this is likely not a serious problem because the number of different tickets required by a user is usually quite small. For the client, TLS resume is typically only useful when you perform an initial authentication (using a password) followed by a ticket request for a service, in the same process.

You can configure the server, ‘shishid’ to never use TLS resume, or to increase or decrease the number of distinct TLS connections that can be resumed before they are garbage collected, see the ‘--resume-limit’ parameter (see Parameters for shishid).

3.6.2 Setting up Anonymous TLS

Anonymous TLS is the simplest to set up and use. In fact, only the client need to be informed that your KDC support TLS. This can be done in the configuration file with the ‘/tls’ parameter for ‘kdc-realm’ (see Shishi Configuration), or by placing the KDC address in DNS using the ‘_tls’ SRV record (see Configuring DNS for KDC).

Let's start Shishid, listening on a TCP socket. TLS require TCP. TCP sockets are automatically upgraded to TLS if the client request it.

     jas@latte:~$ /usr/local/sbin/shishid -l IPv4:*:4711/tcp
     Initializing GNUTLS...done
     Listening on IPv4:*:4711/tcp...
     Listening on 1 ports...
     shishid: Starting (GNUTLS `1.0.4')
     shishid: Listening on IPv4:*:4711/tcp socket 4

Let's use the client to talk with it, using TLS.

     jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711/tls \
         simon@EXAMPLE.ORG
     Enter password for `simon@EXAMPLE.ORG':
     simon@EXAMPLE.ORG:
     Authtime:       Tue Dec 16 05:20:47 2003
     Endtime:        Tue Dec 16 05:37:27 2003
     Server:         krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18)
     Ticket key:     aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18)
     Ticket flags:   FORWARDED PROXIABLE (12)
     jas@latte:~$

On success, the server will print the following debug information.

     shishid: Accepted socket 6 from socket 4 as IPv4:*:4711/tcp peer 127.0.0.1
     shishid: Listening on IPv4:*:4711/tcp socket 4
     shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6
     shishid: Has 4 bytes from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Trying STARTTLS
     shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `Anon DH', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL', session not resumed
     shishid: TLS anonymous authentication with 1024 bit Diffie-Hellman
     shishid: Listening on IPv4:*:4711/tcp socket 4
     shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6
     shishid: Has 131 bytes from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Processing 131 from IPv4:*:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Trying AS-REQ
     shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
     shishid: Matching client etype 18 against user key etype 18
     shishid: Have 511 bytes for IPv4:*:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Sending 511 bytes to IPv4:*:4711/tcp peer 127.0.0.1 socket 6 via TLS
     shishid: Listening on IPv4:*:4711/tcp socket 4
     shishid: Listening on IPv4:*:4711/tcp peer 127.0.0.1 socket 6
     shishid: Peer IPv4:*:4711/tcp peer 127.0.0.1 disconnected on socket 6
     shishid: Closing IPv4:*:4711/tcp peer 127.0.0.1 socket 6
     shishid: Listening on IPv4:*:4711/tcp socket 4

3.6.3 Setting up X.509 authenticated TLS

Setting up X.509 authentication is slightly more complicated than anonymous authentication. You need a X.509 certificate authority (CA) that can generate certificates for your Kerberos server and Kerberos clients. It is often easiest to setup the CA yourself. Managing a CA can be a daunting task, and we only give the bare essentials to get things up and running. We suggest that you study the relevant literature. As a first step beyond this introduction, you may wish to explore more secure forms of key storage than storing them unencrypted on disk.

The following three sections describe how you create the CA, KDC certificate, and client certificates. You can use any tool you like for this task, as long as they generate X.509 (PKIX) certificates in PEM format and RSA keys in PKCS#1 format. Here we use certtool that come with GNUTLS, which is widely available. We conclude by discussing how you use these certificates in the KDC and in the Shishi client.

3.6.3.1 Create a Kerberos Certificate Authority

First create a CA key.

     jas@latte:~$ certtool --generate-privkey \
        --outfile /usr/local/etc/shishi/shishi.key
     Generating a private key...
     Generating a 1024 bit RSA private key...
     jas@latte:~$

Then create the CA certificate. Use whatever details you prefer.

     jas@latte:~$ certtool --generate-self-signed \
        --load-privkey /usr/local/etc/shishi/shishi.key \
        --outfile /usr/local/etc/shishi/shishi.cert
     Generating a self signed certificate...
     Please enter the details of the certificate's distinguished name. \
     Just press enter to ignore a field.
     Country name (2 chars): SE
     Organization name: Shishi Example CA
     Organizational unit name:
     Locality name:
     State or province name:
     Common name: CA
     This field should not be used in new certificates.
     E-mail:
     Enter the certificate's serial number (decimal): 0
     
     
     Activation/Expiration time.
     The generated certificate will expire in (days): 180
     
     
     Extensions.
     Does the certificate belong to an authority? (Y/N): y
     Is this a web server certificate? (Y/N): n
     Enter the e-mail of the subject of the certificate:
     
     
     X.509 certificate info:
     
     Version: 3
     Serial Number (hex): 00
     Validity:
             Not Before: Sun Dec 21 10:59:00 2003
             Not After: Fri Jun 18 11:59:00 2004
     Subject: C=SE,O=Shishi Example CA,CN=CA
     Subject Public Key Info:
             Public Key Algorithm: RSA
     
     X.509 Extensions:
             Basic Constraints: (critical)
                     CA:TRUE
     
     Is the above information ok? (Y/N): y
     
     
     Signing certificate...
     jas@latte:~$
3.6.3.2 Create a Kerberos KDC Certificate

First create the key for the KDC.

     jas@latte:~$ certtool --generate-privkey \
        --outfile /usr/local/etc/shishi/shishid.key
     Generating a private key...
     Generating a 1024 bit RSA private key...
     jas@latte:~$

Then create actual KDC certificate, signed by the CA certificate created in the previous step.

     jas@latte:~$ certtool --generate-certificate \
        --load-ca-certificate /usr/local/etc/shishi/shishi.cert \
        --load-ca-privkey /usr/local/etc/shishi/shishi.key \
        --load-privkey /usr/local/etc/shishi/shishid.key \
        --outfile /usr/local/etc/shishi/shishid.cert
     Generating a signed certificate...
     Loading CA's private key...
     Loading CA's certificate...
     Please enter the details of the certificate's distinguished name. \
     Just press enter to ignore a field.
     Country name (2 chars): SE
     Organization name: Shishi Example KDC
     Organizational unit name:
     Locality name:
     State or province name:
     Common name: KDC
     This field should not be used in new certificates.
     E-mail:
     Enter the certificate's serial number (decimal): 0
     
     
     Activation/Expiration time.
     The generated certificate will expire in (days): 180
     
     
     Extensions.
     Does the certificate belong to an authority? (Y/N): n
     Is this a web server certificate? (Y/N): n
     Enter the e-mail of the subject of the certificate:
     
     
     X.509 certificate info:
     
     Version: 3
     Serial Number (hex): 00
     Validity:
             Not Before: Sun Dec 21 11:02:00 2003
             Not After: Fri Jun 18 12:02:00 2004
     Subject: C=SE,O=Shishi Example KDC,CN=KDC
     Subject Public Key Info:
             Public Key Algorithm: RSA
     
     X.509 Extensions:
             Basic Constraints: (critical)
                     CA:FALSE
     
     Is the above information ok? (Y/N): y
     
     
     Signing certificate...
     jas@latte:~$
3.6.3.3 Create a Kerberos Client Certificate

First create the key for the client.

     jas@latte:~$ certtool --generate-privkey \
        --outfile ~/.shishi/client.key
     Generating a private key...
     Generating a 1024 bit RSA private key...
     jas@latte:~$

Then create the client certificate, signed by the CA. An alternative would be to have the KDC sign the client certificates.

     jas@latte:~$ certtool --generate-certificate \
        --load-ca-certificate /usr/local/etc/shishi/shishi.cert \
        --load-ca-privkey /usr/local/etc/shishi/shishi.key \
        --load-privkey ~/.shishi/client.key \
        --outfile ~/.shishi/client.certs
     Generating a signed certificate...
     Loading CA's private key...
     Loading CA's certificate...
     Please enter the details of the certificate's distinguished name. \
     Just press enter to ignore a field.
     Country name (2 chars): SE
     Organization name: Shishi Example Client
     Organizational unit name:
     Locality name:
     State or province name:
     Common name: Client
     This field should not be used in new certificates.
     E-mail:
     Enter the certificate's serial number (decimal): 0
     
     
     Activation/Expiration time.
     The generated certificate will expire in (days): 180
     
     
     Extensions.
     Does the certificate belong to an authority? (Y/N): n
     Is this a web server certificate? (Y/N): n
     Enter the e-mail of the subject of the certificate:
     
     
     X.509 certificate info:
     
     Version: 3
     Serial Number (hex): 00
     Validity:
             Not Before: Sun Dec 21 11:04:00 2003
             Not After: Fri Jun 18 12:04:00 2004
     Subject: C=SE,O=Shishi Example Client,CN=Client
     Subject Public Key Info:
             Public Key Algorithm: RSA
     
     X.509 Extensions:
             Basic Constraints: (critical)
                     CA:FALSE
     
     Is the above information ok? (Y/N): y
     
     
     Signing certificate...
     jas@latte:~$
3.6.3.4 Starting KDC with X.509 authentication support

The KDC need the CA certificate (to verify client certificates) and the server certificate and key (to authenticate itself to the clients). See elsewhere (see Parameters for shishid) for the entire description of the parameters.

     jas@latte:~$ shishid -l *:4711/tcp \
        --x509cafile /usr/local/etc/shishi/shishi.cert \
        --x509certfile /usr/local/etc/shishi/shishid.cert \
        --x509keyfile /usr/local/etc/shishi/shishid.key
     Initializing GNUTLS...
     Parsed 1 CAs...
     Loaded server certificate/key...
     Generating Diffie-Hellman parameters...
     Initializing GNUTLS...done
     Listening on *:4711/tcp...
     Listening on 1 ports...
     shishid: Starting (GNUTLS `1.0.4')
     shishid: Listening on *:4711/tcp socket 4

Then acquire tickets as usual. In case you wonder how shishi finds the client certificate and key, the filenames used above when generating the client certificates happen to be the default filenames for these files. So it pick them up automatically.

     jas@latte:~$ shishi -o 'realm-kdc=EXAMPLE.ORG,localhost:4711/tls' \
        simon@EXAMPLE.ORG
     Enter password for `simon@EXAMPLE.ORG':
     simon@EXAMPLE.ORG:
     Authtime:       Sun Dec 21 11:15:47 2003
     Endtime:        Sun Dec 21 11:32:27 2003
     Server:         krbtgt/EXAMPLE.ORG key aes256-cts-hmac-sha1-96 (18)
     Ticket key:     aes256-cts-hmac-sha1-96 (18) protected by aes256-cts-hmac-sha1-96 (18)
     Ticket flags:   FORWARDED PROXIABLE RENEWABLE HWAUTHENT TRANSITEDPOLICYCHECKED OKASDELEGATE (12)
     jas@latte:~$

Here is what the server would print.

     shishid: Accepted socket 6 from socket 4 as *:4711/tcp peer 127.0.0.1
     shishid: Listening on *:4711/tcp socket 4
     shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6
     shishid: Has 4 bytes from *:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Trying STARTTLS
     shishid: TLS handshake negotiated protocol `TLS 1.0', key exchange `RSA', certficate type `X.509', cipher `AES 256 CBC', mac `SHA', compression `NULL', session not resumed
     shishid: TLS client certificate `C=SE,O=Shishi Example Client,CN=Client', issued by `C=SE,O=Shishi Example CA,CN=CA', serial number `00', MD5 fingerprint `a5:d3:1f:58:76:e3:58:cd:2d:eb:f7:45:a2:4b:52:f9:', activated `Sun Dec 21 11:04:00 2003', expires `Fri Jun 18 12:04:00 2004', version #3, key RSA modulus 1024 bits, currently EXPIRED
     shishid: Listening on *:4711/tcp socket 4
     shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6
     shishid: Has 131 bytes from *:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Processing 131 from *:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Trying AS-REQ
     shishid: AS-REQ from simon@EXAMPLE.ORG for krbtgt/EXAMPLE.ORG@EXAMPLE.ORG
     shishid: Matching client etype 18 against user key etype 18
     shishid: Have 511 bytes for *:4711/tcp peer 127.0.0.1 on socket 6
     shishid: Sending 511 bytes to *:4711/tcp peer 127.0.0.1 socket 6 via TLS
     shishid: Listening on *:4711/tcp socket 4
     shishid: Listening on *:4711/tcp peer 127.0.0.1 socket 6
     shishid: Peer *:4711/tcp peer 127.0.0.1 disconnected on socket 6
     shishid: Closing *:4711/tcp peer 127.0.0.1 socket 6
     shishid: Listening on *:4711/tcp socket 4