You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@directory.apache.org by bu...@apache.org on 2013/02/11 01:42:21 UTC
svn commit: r850171 - in /websites/staging/directory/trunk/content: ./
apacheds/kerberos-ug/ apacheds/kerberos-ug/images/
Author: buildbot
Date: Mon Feb 11 00:42:20 2013
New Revision: 850171
Log:
Staging update by buildbot for directory
Added:
websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml (with props)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png (with props)
Modified:
websites/staging/directory/trunk/content/ (props changed)
websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html
Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Feb 11 00:42:20 2013
@@ -1 +1 @@
-1444569
+1444642
Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Mon Feb 11 00:42:20 2013
@@ -145,6 +145,13 @@
</em> The Kerberos protocol
<em> The Authentication Server
</em> The Ticket Granting Server</p>
+<p>We will focus on the database in this section.</p>
+<h2 id="storage">Storage</h2>
+<p>We store everthing related to users, hosts and services in the LDAP base, as entries. In order to be able to retrieve them, we have to store them in a known place in the hierarchy. This position is fknown by the kerberos server using the
+<strong>Search Base DN</strong> parameter.</p>
+<p>Everytime the <strong>Kerberos</strong> server received a request for a ticket from a principal, it will do a LDAP search starting from the <strong>Search Base DN</strong>, looking for any entry matching the filter <em>'(krb5PrincipalName=<the principal>)'</em>. This entry should contain the Kerberos keys that will be used to generate the ticket.</p>
+<p>One more requirement : the key as a version which allows a user to keep going with a previous key when he just changed its password (an operation that will change the Kerberos keys). </p>
+<p>So for an LDAP entry to be seen as a valid Kerberos entry, it has to contain a <em>Krb5PrincipalName</em>, a <em>Krb5Key</em> and one more attribute, the <em>Krb5KeyVersionNumber</em>.</p>
<h2 id="structure">Structure</h2>
<p>There is an existing <strong>LDAP</strong> schema to manage the keys and other information, named <strong>krb5kdc</strong>. It contains 3 ObjectClasses and 15 AttributeTypes.</p>
<p>All the ObjectClasses are auxilliary.</p>
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html Mon Feb 11 00:42:20 2013
@@ -0,0 +1,192 @@
+<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <title>1.1.6 - AS (Authentication Server) — Apache Directory</title>
+
+ <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+ <link href="./../../css/green.css" rel="stylesheet" type="text/css">
+
+
+ <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+
+ <!-- Google Analytics -->
+ <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ _uacct = "UA-1358462-1";
+ urchinTracker();
+ </script>
+ </head>
+ <body>
+ <div id="container">
+ <div id="header">
+ <div id="subProjectsNavBar">
+ <a href="./../../">
+
+ Apache Directory Project
+
+ </a>
+ |
+ <a href="./../../apacheds">
+
+ <STRONG>ApacheDS</STRONG>
+
+ </a>
+ |
+ <a href="./../../studio">
+
+ Apache Directory Studio
+
+ </a>
+ |
+ <a href="./../../api">
+
+ Apache LDAP API
+
+ </a>
+ </div><!-- subProjectsNavBar -->
+ </div><!-- header -->
+ <div id="content">
+ <div id="leftColumn">
+
+<div id="navigation">
+
+ <h5>ApacheDS 2.0</h5>
+ <ul>
+ <li><a href="./../../apacheds/">Home</a></li>
+ <li><a href="./../../apacheds/features.html">Features</a></li>
+ </ul>
+ <h5>Downloads</h5>
+ <ul>
+ <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a> <img src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+ <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+ </ul>
+ <h5>Documentation</h5>
+ <ul>
+ <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide </a></li>
+ <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User Guide</a></li>
+ <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+ <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User Guide</a></li>
+ <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+ <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports (e.g. JavaDocs)</a></li-->
+ </ul>
+
+
+ <h5>Support</h5>
+ <ul>
+ <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists & IRC</a></li>
+ <li><a href="./../../sources.html">Sources</a></li>
+ <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+ <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+ </ul>
+ <h5>Community</h5>
+ <ul>
+ <li><a href="./../../contribute.html">How to Contribute</a></li>
+ <li><a href="./../../team.html">Team</a></li>
+ <li><a href="./../../original-project-proposal.html">Original Project Proposal</a></li>
+ <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
+ </ul>
+ <h5>About Apache</h5>
+ <ul>
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png" width="168" height="140"></a>
+
+</div><!-- navigation -->
+
+ </div><!-- leftColumn -->
+ <div id="rightColumn">
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.5-database.html">1.1.5 - Database</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.7-tgs.html">1.1.7 - TGS (Ticket Granting Server)</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+<h1 id="116-as-authentication-server">1.1.6 - AS (Authentication Server)</h1>
+<p>One of the two services offered by a <strong>Kerberos</strong> server is the Authentication Server, which is in charge to authenticate the clients, and issues a ticket (<strong>TGT</strong>, or <em>Ticket Granting Ticket</em>)that the user can send to the <strong>TGS</strong> to get back a service ticket.</p>
+<p><DIV class="info" markdown="1">
+The <strong>TGT</strong>, or <em>Ticket Granting Ticket</em>, is a ticket that a client can use to get a service ticket. In fact, the <strong>AS</strong> just consider the <strong>TGS</strong> as a standard service, and generates a ticket for the user to access this service.
+</DIV></p>
+<p>The beauty of the <strong>AS</strong> is that it does not verify that the client issuing a request is a valid client : it just return a tickat that an attacker won't be able to process if it does not have the client's password.</p>
+<h2 id="exhanges-between-the-client-and-the-as">Exhanges between the client and the AS</h2>
+<p>As we can see, for the client to get a <strong>TGT</strong>, it's just a matter of sending a simple request, which is sent without any encryption whatsoever (some might consider that a BER encoded message is already cryptic enough, though ;-).</p>
+<p>Here is the standard exchange :</p>
+<p><DIV align="center">
+<img alt="Kerberos Authentication with no pre-auth" src="images/kerberos-as-no-padata.png" />
+</DIV></p>
+<p>There is still a potential security breach in this scenario : as the server issues a <strong>TGT</strong> to the client, containing the secret key built using the user's password, it's potentially possible to decrypt the ticket using a brute force attack (and this is more likely to happen as the passwords are generally weak...)</p>
+<p>Of course, as each ticket as a limited time to live, the ticket won't be valid when the attaker will have successfully cracked the ticket, but that doesn't matter : the user's password is now known, and a new ticket can be requested safely, giving access to the services.</p>
+<p><strong>Kerberos 5</strong> introduced a mechanism to somehow workaround this issue : the user has to provide a proof that he is who he pretends to be. As we can see, it defeats the premise we made : the <strong>Kerberos</strong> still want to check the users...</p>
+<p>Note that it's an option, so if you trust your users' password strength, then you don't need to send the server this proof.</p>
+<h3 id="pre-authentication">Pre-Authentication</h3>
+<p>Now, let's see how does a client 'proves' that he is who he pretends to be. The protocol allows the server to ask for some proof, by the mean of asking the client to send the server a timestamp encrypted with the user's secret key : if the server can decrypt the timestamp using the client secret key, then that prove the client's identity, and the server can now send the <strong>TGT</strong> This exchanged is called PreAuthentication.</p>
+<p>Here is the exchange, when :</p>
+<p><DIV align="center">
+<img alt="Kerberos Authentication with pre-auth" src="images/kerberos-as-padata.png" />
+</DIV></p>
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.5-database.html">1.1.5 - Database</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.7-tgs.html">1.1.7 - TGS (Ticket Granting Server)</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+ </div><!-- rightColumn -->
+ <div id="endContent"></div>
+ </div><!-- content -->
+ <div id="footer">© 2003-2012, <a href="http://www.apache.org">The Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy Policy</a><br />
+ Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio, Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache Directory project logos are trademarks of The Apache Software Foundation.
+ </div>
+ </div><!-- container -->
+ </body>
+</html>
\ No newline at end of file
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html Mon Feb 11 00:42:20 2013
@@ -0,0 +1,180 @@
+<!DOCTYPE html>
+<!--
+ Licensed to the Apache Software Foundation (ASF) under one or more
+ contributor license agreements. See the NOTICE file distributed with
+ this work for additional information regarding copyright ownership.
+ The ASF licenses this file to You under the Apache License, Version 2.0
+ (the "License"); you may not use this file except in compliance with
+ the License. You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+-->
+<html>
+ <head>
+ <title>1.1.7 - TGS (Ticket Granting Server) — Apache Directory</title>
+
+ <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+ <link href="./../../css/green.css" rel="stylesheet" type="text/css">
+
+
+ <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+
+ <!-- Google Analytics -->
+ <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+ <script type="text/javascript">
+ _uacct = "UA-1358462-1";
+ urchinTracker();
+ </script>
+ </head>
+ <body>
+ <div id="container">
+ <div id="header">
+ <div id="subProjectsNavBar">
+ <a href="./../../">
+
+ Apache Directory Project
+
+ </a>
+ |
+ <a href="./../../apacheds">
+
+ <STRONG>ApacheDS</STRONG>
+
+ </a>
+ |
+ <a href="./../../studio">
+
+ Apache Directory Studio
+
+ </a>
+ |
+ <a href="./../../api">
+
+ Apache LDAP API
+
+ </a>
+ </div><!-- subProjectsNavBar -->
+ </div><!-- header -->
+ <div id="content">
+ <div id="leftColumn">
+
+<div id="navigation">
+
+ <h5>ApacheDS 2.0</h5>
+ <ul>
+ <li><a href="./../../apacheds/">Home</a></li>
+ <li><a href="./../../apacheds/features.html">Features</a></li>
+ </ul>
+ <h5>Downloads</h5>
+ <ul>
+ <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a> <img src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+ <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+ </ul>
+ <h5>Documentation</h5>
+ <ul>
+ <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide </a></li>
+ <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User Guide</a></li>
+ <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+ <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User Guide</a></li>
+ <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+ <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports (e.g. JavaDocs)</a></li-->
+ </ul>
+
+
+ <h5>Support</h5>
+ <ul>
+ <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists & IRC</a></li>
+ <li><a href="./../../sources.html">Sources</a></li>
+ <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+ <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+ </ul>
+ <h5>Community</h5>
+ <ul>
+ <li><a href="./../../contribute.html">How to Contribute</a></li>
+ <li><a href="./../../team.html">Team</a></li>
+ <li><a href="./../../original-project-proposal.html">Original Project Proposal</a></li>
+ <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special Thanks</a></li>
+ </ul>
+ <h5>About Apache</h5>
+ <ul>
+ <li><a href="http://www.apache.org/">Apache</a></li>
+ <li><a href="http://www.apache.org/licenses/">License</a></li>
+ <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+ <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+ <li><a href="http://www.apache.org/security/">Security</a></li>
+ </ul>
+ <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png" width="168" height="140"></a>
+
+</div><!-- navigation -->
+
+ </div><!-- leftColumn -->
+ <div id="rightColumn">
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.6-as.html">1.1.6 - As (Authentication Server)</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.8-tickets.html">1.1.8 - Tickets</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+<h1 id="117-tgs-ticket-granting-server">1.1.7 - TGS (Ticket Granting Server)</h1>
+<p>The second major service is the <strong>Ticket Granting Server</strong>, which is the service that delivers tickets for all the managed services to the users.</p>
+<p>A client can access to this service fater having been authenticated - ie, after having received a ticket allowing it to access the <strong>TGS</strong> from the <strong>AS</strong> -.</p>
+<p>At this point, all the exchanges are encrypted using the user session key. </p>
+<p>Ther is not too much to tell about this service, except that ach request sent by the client contains the targeted service principal name, and the ticket issued by the <strong>AS</strong>.</p>
+<h2 id="how-it-works">How it works ?</h2>
+<p>When the <strong>TGS</strong> receives a request, it will read the ticket contained in the request, and will validate it. If the ticket has been issued by the <strong>AS</strong>, then the <strong>TGS</strong> has the <strong>AS</strong> secret key and can decrypt the ticket, otherwise it's potentially a forged ticket, and it will be discarded.</p>
+<p>The <strong>TGS</strong> then generate a ticket for the targted service, and enncryt it using the service's secret key, then encapsulate this encypted ticket into a response which will be itself encrypted using the client's secret key.</p>
+<p>The client will receive this response, will decrypt it and extract the encypted ticket, and will send this encrypted ticket to the targeted service, which will be able to decrypt it and validate it.</p>
+<p>Of course, in the mean time, many checks will be done relative to the ticket validity, so one can be assured that the service is only accessible by those with the credential to do so.</p>
+
+
+ <div class="nav">
+ <div class="nav_prev">
+
+ <a href="1.1.6-as.html">1.1.6 - As (Authentication Server)</a>
+
+ </div>
+ <div class="nav_up">
+
+ <a href="1.1-introduction.html">1.1 - Introduction</a>
+
+ </div>
+ <div class="nav_next">
+
+ <a href="1.1.8-tickets.html">1.1.8 - Tickets</a>
+
+ </div>
+ <div class="clearfix"></div>
+ </div>
+
+
+ </div><!-- rightColumn -->
+ <div id="endContent"></div>
+ </div><!-- content -->
+ <div id="footer">© 2003-2012, <a href="http://www.apache.org">The Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy Policy</a><br />
+ Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio, Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache Directory project logos are trademarks of The Apache Software Foundation.
+ </div>
+ </div><!-- container -->
+ </body>
+</html>
\ No newline at end of file
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png
------------------------------------------------------------------------------
svn:mime-type = image/png
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml
------------------------------------------------------------------------------
svn:mime-type = application/xml
Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png
==============================================================================
Binary file - no diff available.
Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png
------------------------------------------------------------------------------
svn:mime-type = image/png