Kerberize the Enterprise

FreeIPA makes Kerberos a lot less painful.

Here is a short list of future work that I feel would help the overall adoption of Kerberos, and, in doing so, make the Enterprise adoption of IPA a lot more worthwhile.

Make it easy to do Kerberos type stuff from the Browser.

Firefox supports Kerberos. But configuring it is a PITA, and it does not let you kinit directly. This is probably best dealt with in the short term using a plugin and/or extension, but eventually, the Browser has to support this even if the OS does not.  I’ve heard rumblings along these lines from the rumor mill.

Chrome does not support Kerberos.  It needs to.

Safari is in the sort-of camp. I’ve heard some people say they need to send a password with each request.

Microsoft Kerberos is…just different.  It will always be harder to catch up with what MS does in IE.  Others can tackle this.

Optimize Kerberos Authentication with a cookie Layer

If you use form based authentication, what happens is that the initial Auth is done as a standard form submit, and the application authenticates you.  The session identifier becomes a cookie (short lived, not sotred to the hard disk) that acts as an authentication token.  Kerberos could easily take this approach.  Then, Negotiate would only be done on the initial request, and all other requests until session time out would use session auth.  It will only work under SSL, but it is secure.

Tie in a SSO option Like OAuth and or OpenID

For those systems that are not using Kerberos, but that do have session based Auth, the FreeIPA system should provide a web-centric add on for Single Sign On…We’ve discussed both OAuth and OpenID.  Feedback here is Welcome.

Make it easier to have multiple Realms co-exist on a users system

Negotiate holds its cards close to its chest.  If a browser or some other network service gets a request for Kerberos negotiation, the client doesn’t know for certain which Kerberos Realm it is in.  We need a standard method of mapping Resource to Realm.  I need to talk to Red Hat services, I need to talk to Fedora Services, and I have a few other, non-work related things I do on line that should be Kerberized as well.  For example, this blog is hosted on Dreamhost, and Ideally they would use Kerberos for Auth.  It should be pretty easy to say, in certificate form,  dreamhost.com usese the CUSTOMERS.DREAMHOST.COM realm, fedorahosted.org, fedorapeople.org use FEDORAPROJECT.ORG realm, and anything that ends in readhat.com uses the Red Hat realm.

Make use of DNS delegation for virtual machines

VMs are the way of the future for much of the common use cases.  I need to be able to create, destroy, repurpose, and share virtual machines on a regular basis.  FreeIPA supports DNS, but in order to have a full solution, you need to tie in DNS, DHCP, and VM creation all together.  I’m a big fan of IPv6, and so I think this might be a great place to do a V6 only solution: Use IUPv6 as the primary network backbone for administration, and provide a dead simple mapping from libvirt virtual machine names to DNS AAAA records.

Each user gets a subdomain.  Lets say, for sake of argument, that it is username.cloud.fedoraproject.org.  If I create a new rawhide VM for testing ipa, I get an AAAA record rawhideipa.admiyo.fedoraproject.org that points to the IPv6 address generated from my MAC address.  DNS A records become an optional resource, available on request, as they need a routable IPv4 address, which VMs don’t get by default.

I realize that most of this work is outside the realm of FreeIPA, but would benefit from having FreeIPA available to make it work or make it easier to implement.

3 thoughts on “Kerberize the Enterprise

  1. >Optimize Kerberos Authentication with a cookie Layer
    You can always use Webauth (see [1]). Webauth can be configured so that the login page (see [2]) is displayed only if the browser did not send a kerberos token to the kerberos module for apache ([2]). The web application itself might need to be modified to accept REMOTE_USER.

    The configuration of firefox for kerberos is actually not that hard (at least on Ubuntu 10.04). It is just a couple of line in file in /etc/firefox. This is done once in the original image and then cloned to all machine. Windows is another business entirely.

    Installation of a private SSL certificate in a global manner so that it survives the user profile being deleted is more problematic.

    [1] http://webauth.stanford.edu/
    [2] http://webauth.stanford.edu/install-spnego.html
    [3] http://modauthkerb.sourceforge.net/

  2. Xaviour,

    I think you misunderstand the point of [2]. It isn’t to provide a login screen, but rather a performance optimization. The “Negotiate” means of web authentication means that there is at a minimum one extra network round trip per page accessed. (I say page access as opposed to request since HTTP keep-alives optimize multiple requests for, say all the images for a page, or all the Javascript files necessary to render the IPA Web UI.) Even if the client already has a ticket for the server, it has to send an unauthenticated request, gets back a response that indicates it needs to send the credentials, and then the ticket goes to the server. Because the challenge is generated on the server, there is no way the client can pre-calculate the response.

    What I am suggesting is that the challenge and response be done only when there is no active session. If there is, the session cookie acts as the auth token. This only works if sessions are short lived, and the tunnel which sends the token back and forth is encrypted. These two requirements are easily met, and so I feel this optimization should increase performance without compromising security.

    mod_krb5 already provides an option to configure fallback to basic auth if there are no valid Kerberos credentials. We’d like to avoid using that if possible, but I’ve found it useful for demo systems and so forth. If we are forced to do a login-page, we’ll have to do some sort of session based auth, and will probably add in mod_session for that.

    Webauth sounds more like it falls into the OAuth OpenID category. I’m willing to add it to the list of SSO options we consider.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.