Re: Kerberos for Debian Edu/Squeeze?
On Sat, Apr 24, 2010 at 09:52:49PM +0200, Petter Reinholdtsen wrote: [Petter Reinholdtsen] Posted here with his approval. Anyone with opinions on which Kerberos implementation we should use? I just commited debian-edu-config/share/debian-edu-config/tools/kerberos-kdc-init, which is a draft script to set up a Kerberos server. It is not yet non-interactive, and it do not set up LDAP as its database for principals. Not sure which Kerberos implementation we should use. Reading URL: http://grep.be/blog/en/lazyweb/re_kerberos_ldap make me suspect Heimdal Kerberos might be a better choice than MIT Kerberos, as it has had support for storing principals in LDAP for a long time. There is also Shishi, which I know very little about. Hi, we should also keep in mind how we want to put the principals into LDAP. I tried to figure that out for gosa, which contains a mit-kerberos plugin: https://oss.gonicus.de/pipermail/gosa/2010-April/004516.html Anyway, perhaps it's also possible to run a script which converts ldap's informations and feeds it into any Kerberos we want... Regards, Andi -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100428135122.ga11...@flashgordon
Re: Kerberos for Debian Edu/Squeeze?
[Petter Reinholdtsen] Posted here with his approval. Anyone with opinions on which Kerberos implementation we should use? I just commited debian-edu-config/share/debian-edu-config/tools/kerberos-kdc-init, which is a draft script to set up a Kerberos server. It is not yet non-interactive, and it do not set up LDAP as its database for principals. Not sure which Kerberos implementation we should use. Reading URL: http://grep.be/blog/en/lazyweb/re_kerberos_ldap make me suspect Heimdal Kerberos might be a better choice than MIT Kerberos, as it has had support for storing principals in LDAP for a long time. There is also Shishi, which I know very little about. Anyone got time and interest in fixing this for Squeeze? I doubt I will find enought time to do it on my own. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100424195249.gr10...@login2.uio.no
Re: Kerberos for Debian Edu/Squeeze?
I continue to get feedback from my kerberos blog post. I got this one mentioning interesting alternatives: Greetings from Ecuador. I've read your post on Kerberos and LDAP. I've setup several interoperatibility schemes with Kerberos and LDAP in the past. You can actually build a single sign-on domain controller for a mixed Linux/Windows environment using Heimdal and OpenLDAP. You need to store your principals in LDAP. This is easy and Heimdal as well as MIT (though I've only done that with Heimdal) allows to do so. You can use both OpenLDAP and 389 Directory Server (formerly Fedora DS) which runs in Debian nicely. 389 might as well give you a break with the password policies, overlays for syncing Samba-POSIX-Kerberos password and all other uncomfortable stuff of Kerberos + LDAP. pam-ccreds has proven a little bit like nscd: seems good on paper but you start to feel the heat when you bring it to practice. While I've made it work in the past, it brings newer security problems. I recall on 2007 I deployed a Debian-based distribution in over 6K workstations for Venezuela's main power utility, and ccreds worked nicely. If you unplugged the network cable while xscreensaver was on, you could log in just by pressing Enter. And, believe me, any combination of the PAM parameters made pam-ccreds unusable. So, try to use another PAM module for non-delayed non-networked authentication for roaming. I'd be glad to share any other experience with you and the people over at Skolelinux. Just let me know, and have a nice day. - -- José Miguel Parrella Romero (bureado.com.ve)PGP: 0×88D4B7DF Debian Developer Caracas, VE/Quito, EC Posted here with his approval. Anyone with opinions on which Kerberos implementation we should use? Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100420050124.gd28...@login1.uio.no
Re: Web SSO using Kerberos (was: Kerberos for Debian Edu/Squeeze?)
On Wed, Apr 14, 2010 at 08:21:37PM +0200, Jonas Smedegaard wrote: On Wed, Apr 14, 2010 at 05:22:56PM +0200, Petter Reinholdtsen wrote: Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement. I believe the proper approach for Kerberize web applications is to use either CAS or Shibboleth. [details snipped] It seems to me that the highly popular SSO technology OpenID is too simple for use as web-enabling of Kerberos. Even if coupled with Oauth I seem to understand from various critics that it is too poorly designed for enterprise security. Not stating this to start a fight (I do not know enought for more in-depth arguments than this vague accusations), just to help avoid wasting time on (popular but) weaker designs if the interest is proper strong web-enabled security designs. After reading up on it a bit, I feel the need to correct myself: Oauth is not a weaker design, but has a different (main) purpose: CAS and Shibboleth provide central, federated authentication for applications. Authorization - i.e., access control decisions on which user data to exchange - is optional and (yet) uncommon. Oauth provide user authorization of user data access for application consumers. This implies authentication that can be central or decentral, but not (yet) federated. In other words: both approaches can securely do web Single Sign-On (SSO), and both should support Kerberos as authentication backend. The difference is in what they can do _beyond_ that: With CAS and Shibboleth we can offer external applications (like web shops wanting to provide discount to students) a joint authentication service for all norwegian schools or even all Skolelinux account holders in the world. With Oauth we can offer the users to approve or deny each such web shop if they are allowed to pull (and keep up-to-date) postal address from the school database. So in a way Shibboleth and CAS serves extended *enterprise* needs, whereas Oauth serves extended *user* needs. Or more harshly: Shibboleth and CAS is about enforcing governing control, whereas Oauth is about passing control to the users. Here's a post on the topic, making a comparison to how G7 countries govern global economy: http://lists.foaf-project.org/pipermail/foaf-protocols/2010-January/001437.html - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature
Re: Kerberos for Debian Edu/Squeeze?
After my blog post, I got a tip from Nils-Anders Nøttseter about LDAP integration for Kerberos to avoid having two user databases, one in LDAP and one in Kerberos. He told me it is possible to avoid by installing the krb5-kdc-ldap package. A recipe on how to set it up is available from URL: https://help.ubuntu.com/9.10/serverguide/C/kerberos-ldap.html . I look forward to testing it. He also mentioned that pam-ccred and kerberos should work just fine, with instructions on URL: https://wiki.ubuntu.com/NetworkAuthentication/Client . I've added the kerberos packages as suggests to the main-server and networked tasks. I picked the MIT kerberos packages (and not the Heimdal ones), because those were the packages mentioned in the Kerberos talk I attended on Tuesday. The video and slides from that talk is now available from URL: http://www.nuug.no/aktiviteter/20100413-kerberos/ . Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100415092523.gf20...@login1.uio.no
Kerberos for Debian Edu/Squeeze?
Yesterdays NUUG presentation[1] about Kerberos was inspiring, and reminded me about the need to start using Kerberos in Skolelinux. Setting up a Kerberos server seem to be straight forward, and if we get this in place a long time before the Squeeze version of Debian freezes, we have a chance to migrate Skolelinux away from NFSv3 for the home directories, and over to an architecture where the infrastructure do not have to trust IP addresses and machines, and instead can trust users and cryptographic keys instead. 1 http://www.nuug.no/aktiviteter/20100413-kerberos/ A challenge will be integration and administration. Is there a Kerberos implementation for Debian where one can control the administration access in Kerberos using LDAP groups? With it, the school administration will have to maintain access control using flat files on the main server, which give a huge potential for errors. A related question I would like to know is how well Kerberos and pam-ccreds (offline password check) work together. Anyone know? Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement. We would also need to document how to integrate with Windows AD, as such shared network will require two Kerberos realms that need to cooperate to work properly. I believe a good start would be to start using Kerberos on the skolelinux.no machines, and this way get ourselves experience with configuration and integration. A natural starting point would be setting up ldap.skolelinux.no as the Kerberos server, and migrate the rest of the machines from PAM via LDAP to PAM via Kerberos one at the time. If you would like to contribute to get this working in Skolelinux, I recommend you to see the video recording from yesterdays NUUG presentation, and start using Kerberos at home. The video show show up in a few days. Happy hacking, -- Petter Reinholdtsen -- To UNSUBSCRIBE, email to debian-edu-requ...@lists.debian.org with a subject of unsubscribe. Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/20100414152256.ga10...@login2.uio.no
Re: Kerberos for Debian Edu/Squeeze?
El mié, 14-04-2010 a las 17:22 +0200, Petter Reinholdtsen escribió: Yesterdays NUUG presentation[1] about Kerberos was inspiring, and reminded me about the need to start using Kerberos in Skolelinux. Setting up a Kerberos server seem to be straight forward, and if we get this in place a long time before the Squeeze version of Debian freezes, we have a chance to migrate Skolelinux away from NFSv3 for the home directories, and over to an architecture where the infrastructure do not have to trust IP addresses and machines, and instead can trust users and cryptographic keys instead. 1 http://www.nuug.no/aktiviteter/20100413-kerberos/ A challenge will be integration and administration. Is there a Kerberos implementation for Debian where one can control the administration access in Kerberos using LDAP groups? With it, the school administration will have to maintain access control using flat files on the main server, which give a huge potential for errors. A related question I would like to know is how well Kerberos and pam-ccreds (offline password check) work together. Anyone know? Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement. We would also need to document how to integrate with Windows AD, as such shared network will require two Kerberos realms that need to cooperate to work properly. I believe a good start would be to start using Kerberos on the skolelinux.no machines, and this way get ourselves experience with configuration and integration. A natural starting point would be setting up ldap.skolelinux.no as the Kerberos server, and migrate the rest of the machines from PAM via LDAP to PAM via Kerberos one at the time. If you would like to contribute to get this working in Skolelinux, I recommend you to see the video recording from yesterdays NUUG presentation, and start using Kerberos at home. The video show show up in a few days. Another step I'd like to add is having freeradius support to this implementation. Laptops are arriving (usually as netbooks) to the schools and freeradius seems to be the safest way to add them to the school network via wireless. There are a freeradius-krb5 and a freeradius-ldap packages in Debian, so it should be an accesible step. José L. signature.asc Description: Esta parte del mensaje está firmada digitalmente
Re: Kerberos for Debian Edu/Squeeze?
On Wed, Apr 14, 2010 at 05:22:56PM +0200, Petter Reinholdtsen wrote: Next step will be to use Kerberos for access control in Lwat and Nagios. I have no idea how much work that will be to implement. I believe the proper approach for Kerberize web applications is to use either CAS or Shibboleth. Regarding CAS, here are (I suspect - haven't read it myself) a good starting point (make sure JavaScript is enabled, and see each of the Children pages): http://www.ja-sig.org/wiki/display/CASC/CASifying+Applications Shibboleth is (as I understand it) developed as part of internet2.org - an effort to generalize computer systems in higher education in the US. So even if CAS might be more widespread in commercial parts of the ICT world, it might make sense for Skolelinux to bet on Shibboleth due to its roots in an educational mindset. More info on Shibboleth here: http://shibboleth.internet2.edu/ - try look at the Shibboleth in Action! Quicktime movies at the right side). ...or if unable to watch them through the browser, here are their raw URLs for download: http://shibboleth.internet2.edu/demo/shib_demo_media/shib_demo.mov http://middleware.internet2.edu/co/tour/comanage-demo.mov Both shibboleth and CAS are partly packaged for Debian. I believe the server parts are not packaged (if I recall correctly they are both implemented as Java servlets) but the bridge part that talks with the web apps are packaged as libapache2-mod-auth-cas and libapache2-mod-shib2. It seems to me that the highly popular SSO technology OpenID is too simple for use as web-enabling of Kerberos. Even if coupled with Oauth I seem to understand from various critics that it is too poorly designed for enterprise security. Not stating this to start a fight (I do not know enought for more in-depth arguments than this vague accusations), just to help avoid wasting time on (popular but) weaker designs if the interest is proper strong web-enabled security designs. Kind regards, - Jonas -- * Jonas Smedegaard - idealist Internet-arkitekt * Tlf.: +45 40843136 Website: http://dr.jones.dk/ [x] quote me freely [ ] ask before reusing [ ] keep private signature.asc Description: Digital signature