[Spread-users] Kerberos and spread...

[Sean Chittenden]

> > Howdy 'all.  Quick question to see if anyone's heard of any work being
> > done with kerberos and spread.
> > 
> > 1)  Kerberos authenticated/encrypted data would be pretty slick, IMHO 
> > and I wonder if anyone's ever looked at this possibility.
> 
> I only know about Kerberos at a high level, so please inform me if what I
> say doesn't make sense.

You definitely understand the highlights!

> If I get your point, the above is the idea of using Kerberos to
> authenticate users of Spread and encrypt data sent over Spread? And your
> point 2 below is about using Spread to replicate data between Kerberos
> servers?

Kerberos data between two KDCs, yes.

> So if I understood, then we have been working on a general approach to
> point 1 (not with kerberos particularly, but a general framework for any
> authentication and access control system). Take a look at the recent
> published paper and tech report at:
> 
> http://www.cnds.jhu.edu/publications/index.html#access_control

MMmm.... yum, good stuff.  I'll have to grok this with some food in my
stomach ::grumble grumble::

> The Tech report has more information and longer code examples. We didn't
> mention Kerberos as a case study, but we did several other known protocols
> (like PAM and SecureID).

Unless I'm mistaken, neither PAM or SecurID are network authentication
protocols or provide any degree of encryption...

> We have an ongoing research project on building secure group
> communications. The Secure Spread page has some more info.
> 
> http://www.cnds.jhu.edu/research/group/secure_spread/

I've heard this project mentioned a few times and have been meaning to
check it out for quite some time.  Encrypting data increases the size of
small messages by typically quite a bit.  What encryption algo's are you
using, or have some folks at CNDS found a way around this?

For what it's worth, for kerberos to work, you'd have to distribute the
a keytab to every member of the communication group, then have the
spread daemon decrypt/authenticate each message against the keytab.  
Other than that, I don't know that you'd have to do much, which could be
a nice and easy way of getting both encryption and authentication
working with some very industry standard software (Active Directory from
Microsoft is glorif^H^H^H^H^H^HMicrosoft-ified kerberos).

> > 2)  Why use kprop and kpropd when you could have an event driven update
> > mechanism based on spread.  Adding the hooks to kadmind to update and
> > replicate small bits of data to various hosts seems pretty reasonable,
> > esp if #1 is an accomplished task.  Updating keytabs, for instance, would
> > be invaluable in supplanting many of the arguments for Active Directory.
> 
> This we havn't talked about at all, it sounds like it very well might be
> quite interesting.

This is more along the lines of the actual kerberos end of things, but
when kadmind (daemon that receives password/principal change requests)  
gets an update, having a hook that sends out a kerberized message to all
of the other KDCs wouldn't be too bad (typically less than 1K per change
in text form).

This would reduce the replication time of kerberos data to KDCs from a
regular interval (cron entry) to within seconds and would be a big win
for the enterprise/university folks.  Personal dislike/trust of cron is
the root of this though: there's no reason to not have these changes
propagated in a small amount of time if the means (spread) is available.

> > Anyway, I was wondering if anyone, esp on the research end of spread, 
> > has heard of such activities or know of any initiatives along those 
> > lines.  Thanks.  -sc
> 
> We are definitely interested in these issues of security and distributed
> systems. I'll ask and see if anyone else knows more about Kerberos
> projects.

http://web.mit.edu/kerberos/www - Documentation for 1.2.2

It's pretty easy to follow once you get over the terminology hump.  Is
there more information available regarding secure spread? -sc

-- 
Sean Chittenden