[Freeipa-users] Understanding role of the certificate in client - server communication.
Hello all. I'm trying to understand the use of the certificates in the communication between an IPA client and server. The documentation describes the retrieval of CA certificate while client setup: "Retrieve the CA certificate for the IdM CA" And retrieval of SSL server certificate: "Enable certmonger, retrieve an SSL server certificate, and install the certificate in /etc/pki/nssdb" https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html#what-happens-clients >From my understanding the authentication in IPA environment is kerberos based, therefore the client and server share a "secret" that allows the user to authenticate himself to the server and vice versa. Where comes the need for certificate? Some of the IPA server services are not kerberized? Thanks in advance. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
Genadi Postrilko wrote: Hello all. I'm trying to understand the use of the certificates in the communication between an IPA client and server. The documentation describes the retrieval of CA certificate while client setup: "Retrieve the CA certificate for the IdM CA" And retrieval of SSL server certificate: "Enable certmonger, retrieve an SSL server certificate, and install the certificate in |/etc/pki/nssdb"| https://access.redhat.com/site/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/setting-up-clients.html#what-happens-clients From my understanding the authentication in IPA environment is kerberos based, therefore the client and server share a "secret" that allows the user to authenticate himself to the server and vice versa. Where comes the need for certificate? Some of the IPA server services are not kerberized? Kerberos over HTTP requires SSL which is why the CA is retrieved and installed. We don't currently use the machine certificate. This was for future-proofing. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? On Mar 19, 2014 12:24 AM, "Rob Crittenden" wrote: > Genadi Postrilko wrote: > >> Hello all. >> I'm trying to understand the use of the certificates in the >> communication between an IPA client and server. >> The documentation describes the retrieval of CA certificate while client >> setup: >> "Retrieve the CA certificate for the IdM CA" >> >> And retrieval of SSL server certificate: >> "Enable certmonger, retrieve an SSL server certificate, and install the >> certificate in |/etc/pki/nssdb"| >> >> https://access.redhat.com/site/documentation/en-US/Red_ >> Hat_Enterprise_Linux/6/html/Identity_Management_Guide/ >> setting-up-clients.html#what-happens-clients >> >> From my understanding the authentication in IPA environment is kerberos >> based, therefore the client and server share a "secret" that allows the >> user to authenticate himself to the server and vice versa. >> Where comes the need for certificate? Some of the IPA server services >> are not kerberized? >> > > Kerberos over HTTP requires SSL which is why the CA is retrieved and > installed. > > We don't currently use the machine certificate. This was for > future-proofing. > > rob > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
On Wed, 19 Mar 2014, Genadi Postrilko wrote: Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? Using Kerberos only, without asking for integrity and confidentiality services, without channel bindings to the outer encryption, is prone to MITM even with valid TLS channels. Use of certificates allows to perform mutual authentication at the SSL level and later perform channel bindings of the tunnelled Kerberos communication. Note that Kerberos over HTTP is weak without transport level security. HTTP authentication per se is independent of the transport. For more details you can look at Joe Orton's talk at ApacheCon'2008: http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
On Wed, 2014-03-19 at 10:56 +0200, Alexander Bokovoy wrote: > On Wed, 19 Mar 2014, Genadi Postrilko wrote: > >Thank you for the answer. > >Sory if i lack the knowledge, but why SSL is needed when using kerberos? > >Kerberos is based on 3th party that is trusted, why there is a need for > >public key encryption? > Using Kerberos only, without asking for integrity and confidentiality > services, without channel bindings to the outer encryption, is prone to > MITM even with valid TLS channels. > > Use of certificates allows to perform mutual authentication at the SSL > level and later perform channel bindings of the tunnelled Kerberos > communication. > > Note that Kerberos over HTTP is weak without transport level security. > HTTP authentication per se is independent of the transport. > > For more details you can look at Joe Orton's talk at ApacheCon'2008: > http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf Note also that Negotiate does not actually use channel binding to the outer TLS channel in all implementation I know of :/ Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
Thank you for the answer. Is the communication between IPA Client and Server HTTPS based? not just SSL over TCP? So is Kerberos? Does it have to be over HTTP? or its purely over TCP/UDP? 2014-03-19 10:56 GMT+02:00 Alexander Bokovoy : > On Wed, 19 Mar 2014, Genadi Postrilko wrote: > >> Thank you for the answer. >> Sory if i lack the knowledge, but why SSL is needed when using kerberos? >> Kerberos is based on 3th party that is trusted, why there is a need for >> public key encryption? >> > Using Kerberos only, without asking for integrity and confidentiality > services, without channel bindings to the outer encryption, is prone to > MITM even with valid TLS channels. > > Use of certificates allows to perform mutual authentication at the SSL > level and later perform channel bindings of the tunnelled Kerberos > communication. > > Note that Kerberos over HTTP is weak without transport level security. > HTTP authentication per se is independent of the transport. > > For more details you can look at Joe Orton's talk at ApacheCon'2008: > http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf > -- > / Alexander Bokovoy > ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Understanding role of the certificate in client - server communication.
On Fri, 28 Mar 2014, Genadi Postrilko wrote: Thank you for the answer. Is the communication between IPA Client and Server HTTPS based? not just SSL over TCP? Depends on the protocol being used. You really need to go and look per protocol. For example: HTTPS is used only when you are using IPA's Web UI or when IPA command line utilities ('ipa ...') are in use. Day to day work on IPA clients is usually handled by SSSD. SSSD processes talk Kerberos and LDAP to IPA server. Kerberos is using own protocol (Kerberos) over TCP and/or UDP. Note that Kerberos communications differ depending on the mode of operation and in most cases include both integrity and confidentiality services where needed. LDAP is done with Kerberos authentication and TLS use within LDAP protocol over TCP. So is Kerberos? Does it have to be over HTTP? or its purely over TCP/UDP? Kerberos does not go over HTTP. You can use Kerberos to negotiate over HTTPS but this is only for specific cases when someone is talking to a kerberized web-service, like IPA's Web UI or its XML-RPC end point. We didn't redefine any of the existing protocols for that. There are already tools and means to achieve secure communication channels and we are (carefully) using them for greater good. 2014-03-19 10:56 GMT+02:00 Alexander Bokovoy : On Wed, 19 Mar 2014, Genadi Postrilko wrote: Thank you for the answer. Sory if i lack the knowledge, but why SSL is needed when using kerberos? Kerberos is based on 3th party that is trusted, why there is a need for public key encryption? Using Kerberos only, without asking for integrity and confidentiality services, without channel bindings to the outer encryption, is prone to MITM even with valid TLS channels. Use of certificates allows to perform mutual authentication at the SSL level and later perform channel bindings of the tunnelled Kerberos communication. Note that Kerberos over HTTP is weak without transport level security. HTTP authentication per se is independent of the transport. For more details you can look at Joe Orton's talk at ApacheCon'2008: http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf -- / Alexander Bokovoy -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users