Kerberos authentication and laptops.

Daniel Pittman daniel at rimspace.net
Thu Dec 27 08:27:01 EST 2007 

G'day.

I am looking into secure network authentication techniques, of which
Kerberos is a fine example -- and a pleasantly well documented.

There are two areas that I have been unable to find much information on,
and which I would like to have some pointers toward the "best current
practice" if possible, please.


The first is integrating laptops into a Kerberos environment.

As far as I can tell from my reading and experimental setups there are
three ways that I can integrate a laptop, while still allowing offline
access to files, accounts, etc, for the user:

1. Local authentication only, manual Kerberos login

The laptop can have local accounts, and then have the user manually
kinit(1) their tickets when they are networked and able to see the KDC.

This means the users can access Kerberos protected resources, but that 
I have to maintain the account database on the laptop somehow.[1]


2. Kerberos authentication only, local "credentials cache"

The laptop could use Kerberos authentication, coupled with (an extremely
recent version of) the PAM 'ccache' module.  

This gives Windows-alike behaviour: once you have authenticated via
Kerberos on the laptop you can authenticate again with the same username
and password, much like Windows/AD authentication.

It isn't clear just how this will integrate with laptops that are
suspended, brought onto a network that can see the KDC, then brought up
again; I suspect that a manual kinit(1) in required to gain a ticket.


3. Make the laptop a slave KDC, use Kerberos authentication against
   localhost

The laptop could be made a slave KDC, and then authenticate against
itself.  (I think.)  That gives a valid Kerberos ticket no matter where
the user is, and regardless of their connection to the KDC network or
not.

The biggest drawback is that this puts a lot of faith in the laptop
user, since root access to a slave KDC is fairly easily abused I
suspect.



The second issue is Kerberos over the Internet; is it considered
reasonable or safe to expose the KDC over the Internet so that, for
example, the laptop could gain a ticket when connected via a random
wireless Internet hotspot?


I appreciate your guidance, and your time.

Regards,
        Daniel

Footnotes: 
[1]  LDAP probably makes this /less/ of a pain to deal with than it
     might otherwise be, since I can use replication to keep a local
     database up to date, but still...

-- 
Daniel Pittman <daniel at cybersource.com.au>           Phone: 03 9428 6922
1/130-132 Stawell St, Richmond              Web: http://www.cyber.com.au
Cybersource: Australia's Leading Linux and Open Source Solutions Company

More information about the Kerberos mailing list