... Or, How to Keep the Bad Guys from Acting on Your Behalf ...

Kerberos and Authentication at Kempt.net

In order to use the services provided by the Kempt.net network, you will need to use a secure form of authentication. This page will help you do that.

What is Authentication?

Authentication is very important for network services. In order to make sure that only you are allowed to modify your own web pages, or that only you are allowed to read your mail, the server providing those services must be able to determine whether you are really you. The process of proving your identity is called authentication.

There are many forms of authentication. Presenting a picture ID when writing someone a check and typing your PIN into an ATM are both forms of authentication. The most common form of authentication on the Internet is sending a password in clear text across the network to the server. But this method has serious problems.

A clear-text password may work the first time, but after that, anyone else in the world who may have seen the password as it travelled through the network can successfully authenticate themselves as you. Not only is this possible, but it happens frequently. I have witnessed first-hand the effects of several different attacks which successfully compromised passwords that were transmitted in clear text—including my own. As a result, plain text passwords (and plaintext equivalents) are not used for authentication at Kempt.net.

A clear-text password may work the first time, but after that...

Alternatives include challenge-response systems (APOP, used for email access at Kempt.net, is an example) and one-time password systems (such as S/Key, now known as OTP). In challenge-response systems, the party wishing to verify your identity gives you a challenge, and you give a response that proves your knowledge of some shared secret—without revealing that secret to any observers. One-time password systems use a different password each time authentication is performed, so that it is not possible for an observer to determine what the next password will be.

Both of those systems are in use at Kempt.net. However, for most uses, you will want to use Kerberos. Kerberos is a more complex network authentication infrastructure that makes use of a number of cryptographic techniques to provide secure authentication. The basic unit of authentication is called a ticket. You obtain a ticket by proving your identity to a trusted third party, the Kerberos server. Software on your computer stores this ticket for you, and you can then use the ticket to authenticate to various services on the network.

The rest of this document will help get you started using Kerberos with the Kempt.net network.

There is a related concept called authorization. Once you have authenticated, there is still the question of what you are allowed to do. For instance, now that I know you are you, should I let you read Bob's email? Systems like OTP and Kerberos are authentication systems, and are not involved in authorization decisions. For the purposes of this document, we will assume that the authorization settings in place on the Kempt.net network are appropriate. In many cases, you can change the authorization decisions relating to your files by using the Unix permissions system.

What Software do I Need?

First, you will need a copy of the Kerberos V5 client software. I use the MIT implementation, available from the MIT Kerberos page. To download the software, follow the Getting Kerberos link. You will need to assure MIT that you can legally download the software, because Kerberos uses strong cryptography.

Users of Mac OS X 10.2 or later will need to install only the Mac OS X Kerberos Extras; the basic Kerberos software is included in the OS. For older Macintosh operating systems, you will need MIT Kerberos for Macintosh 4.0 or later. For Unix, I recommend downloading and compiling the Kerberos V5 1.2.5 source distribution, although there may be a binary package for your operating system. For Windows, get the appropriate package. Windows XP users may not need to do anything; I understand that Kerberos V5 support is included, but I don't know if it's useful.

Next, you will need to install some client software applications that have Kerberos V5 support.

Macintosh users will want to use Fetch 4.0 or later for file transfer via FTP and BetterTelnet along with the Kerberos V5 Telnet Plugin (1) for remote shell login via telnet. (2) Users using Mac OS X 10.2 and later may just want to use the built-in 'telnet' command in the Terminal application for shell access; it supports Kerberos "out of the box."

(Note to Fetch users under Mac OS X 10.2: If Fetch fails to launch, and a dialog box saying "The application Fetch" could not be launched because of a shared library error," then you need to install the Mac OS X 10.2 Kerberos Extras. See above.)

Unix users will find that the MIT Kerberos distribution includes telnet (2) and ftp clients with Kerberos support. Users of other operating systems are on their own. Fortunately, as with every protocol in use at Kempt.net, Kerberos V5 is a standard, so you should be able to find something suitable.

"For your convenience, we check all bags leaving the store."

How do I Configure the Software?

First, you will need to provide the Kerberos client software on your computer with a Kerberos configuration file. Mac OS X users should download the standard Kempt.net/Avernus edu.mit.Kerberos file, and install it in the directory /Library/Preferences. (There are many ways to do this; you could use the "Save As..." command in your web browser, or you could copy the text from your browser window and paste it into your favorite text editor and "Save As..." from there.) Mac OS 8 or 9 users of should download the standard Kempt.net/Avernus Kerberos Preferences file and drag it into your Preferences folder. Unix users should download the standard Kempt.net/Avernus krb5.conf file and copy it to your /etc directory. The contents of these files are identical; merely the name is different. Users of other operating systems are on their own. I suggest downloading the krb5.conf file, above, and starting from there.

A note for Mac OS 8 and 9 users: If the "Kerberos Preferences" file you download ends in ".bin", you will need to use Stuffit Expander to extract the Preferences file. Also, you will need to reboot after dragging this file into your Preferences folder. You can avoid the extra reboot by dragging this file into your Preferences folder before running the Kerberos installer.

Once the software is installed and configured, the next thing to do is change your Kerberos password. (You will have to arrange to set an initial password by talking with me directly. Perhaps I have already set an initial password for you; you should change it now.) To change your password, you must first get a Kerberos ticket. Macintosh users can do this by using the "Get Tickets" command in the Kerberos control panel. Unix users can use the kinit command. Once you have a ticket, you can change your password. Macintosh users can do this by using the "Change Password..." command in the Kerberos control panel. Unix users can do this using the passwd or kpasswd command.

For the convenience of Macintosh users, I have created a Fetch Shortcuts file that you can simply drop into your Preferences folder. (Again, if the file ends in ".bin", you will need to extract it.) This shortcuts file contains a shortcut called "Kempt.net Web Pages" that will take you to the right place to transfer files for your web pages. Before using, it, though, you will need to select that shortcut entry and use the "Edit Bookmark..." command in the "Customize" menu to change the "User ID" field to contain your actual Kempt.net user ID. I also recommend you use the "Preferences..." command in the "Customize" menu to set the "Kempt.net Web Pages" shortcut to be your "Default shortcut."

Similarly, I have created a BetterTelnet Prefs2 file that you can drop into your Preferences folder. (Again, you might need to extract this file.) This preferences file contains a "Favorites" entry that will open a Kerberos-encrypted telnet session on a Kempt.net Internet Access machine.

How do I Use the Software?

Now, all you need to do is start making connections! Macintosh users will notice that the first time you attempt to make a network connection, you will be presented a dialog in which you can type your Kerberos password. Unix users will need to use the kinit command to obtain tickets. Once you do that, your Kerberos ticket will be good for some time, generally 10 hours (although you can change the default ticket lifetime). Until your ticket expires, no additional authentication is needed in order to use Kempt.net network services. Once your ticket expires, you will simply need to authenticate again. A password dialog will automatically be displayed on Macintosh computers.

If you leave your computer, you should destroy your tickets, so that no one else can use them to authenticate as you. If you shut down your computer when you are not using it, this is not necessary. To destroy your tickets on a Macintosh, you can use the "Destroy Tickets" command in the Kerberos menu (the three-headed dog icon) near the right side of the menu bar. There is also a control in the Control Strip to allow you to get or destroy tickets. Or you can use the Kerberos Control Panel. Unix users should use the kdestroy command.

Why Is This All So Complicated?

It's complicated because secure authentication over an unsecure communication channel is a difficult problem, and because not enough people are aware of the need for secure authentication to make the software to enable it ubiquitous. This will get much better as time goes by.

The complicated part is only in getting set up. Once you have installed the software, I hope you will find that connecting securely is quite painless. In fact, I think you will find that it's actually even easier than using clear text passwords, since you only need to type your password into a friendly dialog box once during any given session.

Remember—this is done to protect you. Really. I don't mean that in the way that signs reading "For your convenience, we check all bags leaving the store" mean it. This really does protect you. For instance, you don't want just anyone reading your mail. You want some assurance that only you can download your mail from the mail server. (Now, the fact that anyone can read the messages as they pass in clear text across the internet on the way to your mailbox is a different problem.) Similarly, you don't want just anyone to be able to edit your web pages; they are part of your public identity, and unauthorized changes could be catastrophic.

At the same time, you want some assurance that the services that the Kempt.net network provides are going to be stable. It is important to you that none of the other users of the Kempt.net network are compromised and used as launching points for denial-of-service attacks. So it should be some comfort that other Kempt.net users are also using secure authentication mechanisms.

Hopefully, the substantial security gains are worth the inconvenience of setting up the secure software on your client machine. Otherwise, Kempt.net might not be the service provider for you! :)

Remember—this is done to protect you.


(1): If you already have BetterTelnet, you can simply download the Telnet Plugin. Once you have expanded the Telnet Plugin, just drop it into the same folder as the BetterTelnet application. Note, however, that the version of BetterTelnet I link to above contains a few tweaks specifically for Kerberos V5 support, and so it might work a little better. In particular, it allows ticket forwarding. If you don't know what that is, you don't care.

(2): Some people seem to believe that telnet is inherently an unsecure protocol. In fact, it is the use of clear-text passwords that is not secure. Using appropriate options, such as Kerberos authentication, telnet can be quite secure.