Being a computer user on a network that uses single sign on (SSO) is very convenient. Another benefit is the "other thing" that users don't generally concern themselves with, increased security. The Kerberos Network Authentication Protocol developed at MIT in the 1980s is the open standard that has been adopted widely.
On your network, the more services that are using SSO authentication, the greater the benefit of SSO. This is commonly called the "Fax Effect" (the more people that own fax machines, the greater the benefit to each fax machine owner). Today many services are able to use Kerberos authentication either directly, or indirectly through GSSAPI or SASL+GSSAPI.
Some of these services include:
* SQL Servers (PostgreSQL, Oracle)
* SMTP (Postfix, Sendmail)
* IMAP (Cyrus-imapd, Dovecot)
* Email clients (Evolution, Thunderbird, Kmail)
* SSH (OpenSSH)
* telnet/ftp/rlogin/rsh
* rsync (via ssh)
* Web Applications (Apache +mod_auth_kerb or IIS plus Mozilla/Firefox/Konqueror/IE)
* File Servers (NFSv3/v4 with "sec=krb5" on Linux, or Samba)
* Print Servers (LPRng or later this year, CUPS)
* Network equipment (Cisco IOS and others)
Here at Guru Labs, we have been on a multi-year mission get every service on our network using Kerberos authentication. Not just with Kerberos, but across the board we try to develop best practices, "dog food" them and then write about them in our Linux courseware and training.
One service we recently Kerberized was our Jabber instant messaging server. Getting Jabber kerberized is very nice, particularly when using Gaim. If you configure Gaim to store your passwords (not the default, but very conveniently tempting), it stores them in plaintext in your ~/.gaim/accounts.xml file.
As of April, 2006 the GSSAPI+Kerberos Jabber landscape is as follows:
There are two open source Jabber server implementation that supports GSSAPI+Kerberos authentication.
* Jabberd v2.0 with Simon Wilkinson's Kerberos/GSSAPI/SASL patch. This is a mature well tested solution. This is what we are using at Guru Labs. The patch has been accepted into the CVS tree and will be in the future v2.1 release.
* The highly regarded and actively developed Java based Wildfire Server is just barely (days ago) starting to work with GSSAPI. Once the rough edges are polished off and a stable release is made with GSSAPI support we are going to strongly consider moving to this server.
On the client front there are patches for Psi and Coccinella and Gaim. I haven't used Psi or Coccinella so I don't know if the patches are current or have been accepted into the official trees.
For gaim v1.5.x there are two patches. Simon Wilkinson developed a SASL-GSSAPI patch that was later modified by Greg Hudson of MIT to support gracefull fallback by prompting for a password if a Kerberos ticket is not obtainable. This is something I wish more client software would do.
The soon to be released gaim v2.0 has Simon's patch integrated, so it will support GSSAPI/Kerberos authentication out-of-the-box. There are plans to add graceful fallback and other features.
Our experiences getting Jabber Kerberized will be rolled into our GL550 "Enterprise Linux Security Administration" training course. The course includes extensive Kerberos coverage both of MIT's implementation and KTH's Heimdal implementation (used on SUSE Linux Enterprise Server 9) as well as best practices for Kerberizing common services (see the list above). It is the only Kerberos training class that I'm aware of.
Leave a comment