- Configuring the KDC Using Kerberos Commands
- Configuring the Router to Use the Kerberos Protocol
- Defining a Kerberos Realm
- Copying SRVTAB Files
- Specifying Kerberos Authentication
- Enabling Credentials Forwarding
- Opening a Telnet Session to the Router
- Establishing an Encrypted Kerberized Telnet Session
- Enabling Mandatory Kerberos Authentication
- Enabling Kerberos Instance Mapping
- Monitoring and Maintaining Kerberos
Configuring Kerberos
This chapter describes the Kerberos security system.
Finding Feature Information
For the latest feature information and caveats, see the release notes for your platform and software release. To find information about the features documented in this module, and to see a list of the releases in which each feature is supported, see the "Feature Information for Configuring Kerberos" section.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS XE software image support. To access Cisco Feature Navigator, go to http://tools.cisco.com/ITDIT/CFN/jsp/index.jsp. An account on Cisco.com is not required.
Contents
This chapter includes the following topics and tasks:
•
Kerberos Configuration Examples
•Feature Information for Configuring Kerberos
Information About Kerberos
Kerberos is a secret-key network authentication protocol, developed at the Massachusetts Institute of Technology (MIT), that uses the Data Encryption Standard (DES) cryptographic algorithm for encryption and authentication. Kerberos was designed to authenticate requests for network resources. Kerberos, like other secret-key systems, is based on the concept of a trusted third party that performs secure verification of users and services. In the Kerberos protocol, this trusted third party is called the key distribution center (KDC).
The primary use of Kerberos is to verify that users and the network services they use are really who and what they claim to be. To accomplish this, a trusted Kerberos server issues tickets to users. These tickets, which have a limited lifespan, are stored in a user's credential cache and can be used in place of the standard username-and-password authentication mechanism.
The Kerberos credential scheme embodies a concept called "single logon." This process requires authenticating a user once, and then allows secure authentication (without encrypting another password) wherever that user's credential is accepted.
Cisco IOS XE software includes Kerberos 5 support, which allows organizations already deploying Kerberos 5 to use the same Kerberos authentication database on their routers that they are already using on their other network hosts (such as UNIX servers and PCs).
The following network services are supported by the Kerberos authentication capabilities in Cisco IOS XE software:
•Telnet
•rlogin
•rsh
•rcp
Note Cisco Systems' implementation of Kerberos client support is based on code developed by CyberSafe, which was derived from the MIT code. As a result, the Cisco Kerberos implementation has successfully undergone full compatibility testing with the CyberSafe Challenger commercial Kerberos server and MIT's server code, which is freely distributed.
Table 1 lists common Kerberos-related terms and their definitions.
Kerberos Client Support Operation
This section describes how the Kerberos security system works with a Cisco router functioning as the security server. Although (for convenience or technical reasons) you can customize Kerberos in a number of ways, remote users attempting to access network services must pass through three layers of security before they can access network services.
This section includes the following sections:
•Authenticating to the Boundary Router
•Authenticating to Network Services
Authenticating to the Boundary Router
This section describes the first layer of security that remote users must pass through when they attempt to access a network. The first step in the Kerberos authentication process is for users to authenticate themselves to the boundary router. The following process describes how users authenticate to a boundary router:
1. The remote user opens a PPP connection to the corporate site router.
2. The router prompts the user for a username and password.
3. The router requests a TGT from the KDC for this particular user.
4. The KDC sends an encrypted TGT to the router that includes (among other things) the user's identity.
5. The router attempts to decrypt the TGT using the password the user entered. If the decryption is successful, the remote user is authenticated to the router.
A remote user who successfully initiates a PPP session and authenticates to the boundary router is inside the firewall but still must authenticate to the KDC directly before being allowed to access network services. This is because the TGT issued by the KDC is stored on the router and is not useful for additional authentication unless the user physically logs on to the router.
Obtaining a TGT from a KDC
This section describes how remote users who are authenticated to the boundary router authenticate themselves to a KDC.
When a remote user authenticates to a boundary router, that user technically becomes part of the network; that is, the network is extended to include the remote user and the user's machine or network. To gain access to network services, however, the remote user must obtain a TGT from the KDC. The following process describes how remote users authenticate to the KDC:
1. The remote user, at a workstation on a remote site, launches the KINIT program (part of the client software provided with the Kerberos protocol).
2. The KINIT program finds the user's identity and requests a TGT from the KDC.
3. The KDC creates a TGT, which contains the identity of the user, the identity of the KDC, and the expiration time of the TGT.
4. Using the user's password as a key, the KDC encrypts the TGT and sends the TGT to the workstation.
5. When the KINIT program receives the encrypted TGT, it prompts the user for a password (this is the password that is defined for the user in the KDC).
6. If the KINIT program can decrypt the TGT with the password the user enters, the user is authenticated to the KDC, and the KINIT program stores the TGT in the user's credential cache.
At this point, the user has a TGT and can communicate securely with the KDC. In turn, the TGT allows the user to authenticate to other network services.
Authenticating to Network Services
The following process describes how a remote user with a TGT authenticates to network services within a given Kerberos realm. Assume the user is on a remote workstation (Host A) and wants to log in to Host B.
1. The user on Host A initiates a Kerberized application (such as Telnet) to Host B.
2. The Kerberized application builds a service credential request and sends it to the KDC. The service credential request includes (among other things) the user's identity and the identity of the desired network service. The TGT is used to encrypt the service credential request.
3. The KDC tries to decrypt the service credential request with the TGT it issued to the user on Host A. If the KDC can decrypt the packet, it is assured that the authenticated user on Host A sent the request.
4. The KDC notes the network service identity in the service credential request.
5. The KDC builds a service credential for the appropriate network service on Host B on behalf of the user on Host A. The service credential contains the client's identity and the desired network service's identity.
6. The KDC then encrypts the service credential twice. It first encrypts the credential with the SRVTAB that it shares with the network service identified in the credential. It then encrypts the resulting packet with the TGT of the user (who, in this case, is on Host A).
7. The KDC sends the twice-encrypted credential to Host A.
8. Host A attempts to decrypt the service credential with the user's TGT. If Host A can decrypt the service credential, it is assured the credential came from the real KDC.
9. Host A sends the service credential to the desired network service. Note that the credential is still encrypted with the SRVTAB shared by the KDC and the network service.
10. The network service attempts to decrypt the service credential using its SRVTAB.
11. If the network service can decrypt the credential, it is assured the credential was in fact issued from the KDC. Note that the network service trusts anything it can decrypt from the KDC, even if it receives it indirectly from a user. This is because the user first authenticated with the KDC.
At this point, the user is authenticated to the network service on Host B. This process is repeated each time a user wants to access a network service in the Kerberos realm.
How to Configure Kerberos
For hosts and the KDC in your Kerberos realm to communicate and mutually authenticate, you must identify them to each other. To do this, you add entries for the hosts to the Kerberos database on the KDC and add SRVTAB files generated by the KDC to all hosts in the Kerberos realm. You also make entries for users in the KDC database.
This section describes how to set up a Kerberos-authenticated server-client system and contains the following topics:
•Configuring the KDC Using Kerberos Commands
•Configuring the Router to Use the Kerberos Protocol
This section assumes that you have installed the Kerberos administrative programs on a UNIX host, known as the KDC, initialized the database, and selected a Kerberos realm name and password. For instructions about completing these tasks, refer to documentation that came with your Kerberos software.
Note Write down the host name or IP address of the KDC, the port number you want the KDC to monitor for queries, and the name of the Kerberos realm it will serve. You need this information to configure the router.
Configuring the KDC Using Kerberos Commands
After you set up a host to function as the KDC in your Kerberos realm, you must make entries to the KDC database for all principals in the realm. Principals can be network services on Cisco routers and hosts or they can be users.
To use Kerberos commands to add services to the KDC database (and to modify existing database information), complete the tasks in the following sections:
•Adding Users to the KDC Database
Note All Kerberos command examples are based on Kerberos 5 Beta 5 of the original MIT implementation. Later versions use a slightly different interface.
Adding Users to the KDC Database
To add users to the KDC and create privileged instances of those users, use the su command to become root on the host running the KDC and use the kdb5_edit program to use the following commands in privileged EXEC mode:
For example, to add user loki of Kerberos realm CISCO.COM, enter the following Kerberos command:
ank loki@CISCO.COM
Note The Kerberos realm name must be in uppercase characters.
You might want to create privileged instances to allow network administrators to connect to the router at the enable level, for example, so that they need not enter a clear text password (and compromise security) to enter enable mode.
To add an instance of loki with additional privileges (in this case, enable, although it could be anything) enter the following Kerberos command:
ank loki/enable@CISCO.COM
In each of these examples, you are prompted to enter a password, which you must give to user loki to use at login.
The "Enabling Kerberos Instance Mapping" section describes how to map Kerberos instances to various Cisco IOS XE privilege levels.
Creating SRVTABs on the KDC
All routers that you want to authenticate to use the Kerberos protocol must have an SRVTAB. This section and the "Extracting SRVTABs" section describe how to create and extract SRVTABs for a router called router1. The "Copying SRVTAB Files" section describes how to copy SRVTAB files to the router.
To make SRVTAB entries on the KDC, use the following command in privileged EXEC mode:
|
|
|
|---|---|
Router# ark SERVICE/HOSTNAME@REALM |
Use the ark (add random key) command to add a network service supported by a host or router to the KDC. |
For example, to add a Kerberized authentication service for a Cisco router called router1 to the Kerberos realm CISCO.COM, enter the following Kerberos command:
ark host/router1.cisco.com@CISCO.COM
Make entries for all network services on all Kerberized hosts that use this KDC for authentication.
Extracting SRVTABs
SRVTABs contain (among other things) the passwords or randomly generated keys for the service principals you entered into the KDC database. Service principal keys must be shared with the host running that service. To do this, you must save the SRVTAB entries to a file, then copy the file to the router and all hosts in the Kerberos realm. Saving SRVTAB entries to a file is called extracting SRVTABs. To extract SRVTABs, use the following command in privileged EXEC mode:
|
|
|
|---|---|
Router# xst router-name host |
Use the kdb5_edit command xst to write an SRVTAB entry to a file. |
For example, to write the host/router1.cisco.com@CISCO.COM SRVTAB to a file, enter the following Kerberos command:
xst router1.cisco.com@CISCO.COM host
Use the quit command to exit the kdb5_edit program.
Configuring the Router to Use the Kerberos Protocol
To configure a Cisco router to function as a network security server and authenticate users using the Kerberos protocol, complete the tasks in the following sections:
•Specifying Kerberos Authentication
•Enabling Credentials Forwarding
•Opening a Telnet Session to the Router
•Establishing an Encrypted Kerberized Telnet Session
•Enabling Mandatory Kerberos Authentication
•Enabling Kerberos Instance Mapping
•Monitoring and Maintaining Kerberos
Defining a Kerberos Realm
For a router to authenticate a user defined in the Kerberos database, it must know the host name or IP address of the host running the KDC, the name of the Kerberos realm and, optionally, be able to map the host name or Domain Name System (DNS) domain to the Kerberos realm.
To configure the router to authenticate to a specified KDC in a specified Kerberos realm, use the following commands in global configuration mode. Note that DNS domain names must begin with a leading dot (.):
Note Because the machine running the KDC and all Kerberized hosts must interact within a 5-minute window or authentication fails, all Kerberized machines, and especially the KDC, should be running the Network Time Protocol (NTP).
The kerberos local-realm, kerberos realm, and kerberos server commands are equivalent to the UNIX krb.conf file. Table 2 identifies mappings from the Cisco IOS XE configuration commands to a Kerberos 5 configuration file (krb5.conf).
For an example of defining a Kerberos realm, see the "Defining a Kerberos Realm" section.
Copying SRVTAB Files
To make it possible for remote users to authenticate to the router using Kerberos credentials, the router must share a secret key with the KDC. To do this, you must give the router a copy of the SRVTAB you extracted on the KDC.
The most secure method to copy SRVTAB files to the hosts in your Kerberos realm is to copy them onto physical media and go to each host in turn and manually copy the files onto the system. To copy SRVTAB files to the router, which does not have a physical media drive, you must transfer them via the network using TFTP.
To remotely copy SRVTAB files to the router from the KDC, use the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# kerberos srvtab remote {hostname | ip-address} {filename} |
Retrieves an SRVTAB file from the KDC. |
When you copy the SRVTAB file from the router to the KDC, the kerberos srvtab remote command parses the information in this file and stores it in the router's running configuration in the kerberos srvtab entry format. To ensure that the SRVTAB is available (does not need to be acquired from the KDC) when you reboot the router, use the write memory configuration command to write your running configuration (which contains the parsed SRVTAB file) to NVRAM.
For an example of copying SRVTAB files, see the "SRVTAB File Copying Example" section.
Specifying Kerberos Authentication
You have now configured Kerberos on your router. This makes it possible for the router to authenticate using Kerberos. The next step is to tell it to do so. Because Kerberos authentication is facilitated through AAA, you need to enter the aaa authentication command, specifying Kerberos as the authentication method. For more information, refer to the chapter "Configuring Authentication".
Enabling Credentials Forwarding
With Kerberos configured thus far, a user authenticated to a Kerberized router has a TGT and can use it to authenticate to a host on the network. However, if the user tries to list credentials after authenticating to a host, the output will show no Kerberos credentials present.
You can optionally configure the router to forward users' TGTs with them as they authenticate from the router to Kerberized remote hosts on the network when using Kerberized Telnet, rcp, rsh, and rlogin (with the appropriate flags).
To force all clients to forward users' credentials as they connect to other hosts in the Kerberos realm, use the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# kerberos credentials forward |
Forces all clients to forward user credentials upon successful Kerberos authentication. |
With credentials forwarding enabled, users' TGTs are automatically forwarded to the next host they authenticate to. In this way, users can connect to multiple hosts in the Kerberos realm without running the KINIT program each time to get a new TGT.
Opening a Telnet Session to the Router
To use Kerberos to authenticate users opening a Telnet session to the router from within the network, use the following command in global configuration mode:
Although Telnet sessions to the router are authenticated, users must still enter a clear text password if they want to enter enable mode. The kerberos instance map command, discussed in a later section, allows them to authenticate to the router at a predefined privilege level.
Establishing an Encrypted Kerberized Telnet Session
Another way for users to open a secure Telnet session is to use Encrypted Kerberized Telnet. With Encrypted Kerberized Telnet, users are authenticated by their Kerberos credentials before a Telnet session is established. The Telnet session is encrypted using 56-bit Data Encryption Standard (DES) encryption with 64-bit Cipher Feedback (CFB). Because data sent or received is encrypted, not clear text, the integrity of the dialed router or access server can be more easily controlled.
Note This feature is available only if you have the 56-bit encryption image. 56-bit DES encryption is subject to U.S. Government export control regulations.
To establish an encrypted Kerberized Telnet session from a router to a remote host, use either of the following commands in EXEC command mode:
|
|
|
|---|---|
Router(config)# connect host [port] /encrypt kerberos or Router(config)# telnet host [port] /encrypt kerberos |
Establishes an encrypted Telnet session. |
When a user opens a Telnet session from a Cisco router to a remote host, the router and remote host negotiate to authenticate the user using Kerberos credentials. If this authentication is successful, the router and remote host then negotiate whether or not to use encryption. If this negotiation is successful, both inbound and outbound traffic is encrypted using 56-bit DES encryption with 64-bit CFB.
When a user dials in from a remote host to a Cisco router configured for Kerberos authentication, the host and router will attempt to negotiate whether or not to use encryption for the Telnet session. If this negotiation is successful, the router will encrypt all outbound data during the Telnet session.
If encryption is not successfully negotiated, the session will be terminated and the user will receive a message stating that the encrypted Telnet session was not successfully established.
For information about enabling bidirectional encryption from a remote host, refer to the documentation specific to the remote host device.
For an example of using encrypted Kerberized Telnet to open a secure Telnet session, see the Encrypted Telnet Session Example.
Enabling Mandatory Kerberos Authentication
As an added layer of security, you can optionally configure the router so that, after remote users authenticate to it, these users can authenticate to other services on the network only with Kerberized Telnet, rlogin, rsh, and rcp. If you do not make Kerberos authentication mandatory and Kerberos authentication fails, the application attempts to authenticate users using the default method of authentication for that network service; for example, Telnet and rlogin prompt for a password, and rsh attempts to authenticate using the local rhost file.
To make Kerberos authentication mandatory, use the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# kerberos clients mandatory |
Sets Telnet, rlogin, rsh, and rcp to fail if they cannot negotiate the Kerberos protocol with the remote server. |
Enabling Kerberos Instance Mapping
As mentioned in the "Creating SRVTABs on the KDC" section, you can create administrative instances of users in the KDC database. The kerberos instance map command allows you to map those instances to Cisco IOS XE privilege levels so that users can open secure Telnet sessions to the router at a predefined privilege level, obviating the need to enter a clear text password to enter enable mode.
To map a Kerberos instance to a Cisco IOS XE privilege level, use the following command in global configuration mode:
|
|
|
|---|---|
Router(config)# kerberos instance map instance privilege-level |
Maps a Kerberos instance to a Cisco IOS XE privilege level. |
If there is a Kerberos instance for user loki in the KDC database (for example, loki/admin), user loki can now open a Telnet session to the router as loki/admin and authenticate automatically at privilege level 15, assuming instance "admin" is mapped to privilege level 15. (See the "Opening a Telnet Session to the Router" section.)
Cisco IOS XE commands can be set to various privilege levels using the privilege level command.
After you map a Kerberos instance to a Cisco IOS XE privilege level, you must configure the router to check for Kerberos instances each time a user logs in. To run authorization to determine if a user is allowed to run an EXEC shell based on a mapped Kerberos instance, use the aaa authorization command with the krb5-instance keyword. For more information, refer to the chapter "Configuring Authorization."
Monitoring and Maintaining Kerberos
To display or remove a current user's credentials, use the following commands in EXEC mode:
Kerberos Configuration Examples
The following sections provide Kerberos configuration examples:
•Kerberos Realm Definition Examples
•Encrypted Telnet Session Example
Kerberos Realm Definition Examples
To define CISCO.COM as the default Kerberos realm, use the following command:
kerberos local-realm CISCO.COM
To tell the router that the CISCO.COM KDC is running on host 10.2.3.4 at port number 170, use the following Kerberos command:
kerberos server CISCO.COM 10.2.3.4 170
To map the DNS domain cisco.com to the Kerberos realm CISCO.COM, use the following command:
kerberos realm.cisco.com CISCO.COM
SRVTAB File Copying Example
To copy over the SRVTAB file on a host named host123.cisco.com for a router named router1.cisco.com, the command would look like this:
kerberos srvtab remote host123.cisco.com router1.cisco.com-new-srvtab
Valid Starting Expires Service Principal
13-May-1996 14:59:44 13-May-1996 23:00:45 krbtgt/CISCO.COM@CISCO.COM
chet-2500# show privilege
Current privilege level is 15
chet-2500# q
Connection closed by foreign host.
chet-ss20% telnet chet-2500
Trying 172.16.0.0 ...
Connected to chet-2500.cisco.com.
Escape character is '^]'.
User Access Verification
Username: chet/restricted
Password:
chet-2500# show kerberos creds
Default Principal: chet/restricted@CISCO.COM
Valid Starting Expires Service Principal
13-May-1996 15:00:32 13-May-1996 23:01:33 krbtgt/CISCO.COM@CISCO.COM
chet-2500# show privilege
Current privilege level is 3
chet-2500# q
Connection closed by foreign host.
chet-ss20%
Encrypted Telnet Session Example
The following example shows how to establish an encrypted Telnet session from a router to a remote host named "host1":
Router> telnet host1 /encrypt kerberos
Additional References
The following sections provide references related to the Configuring Kerberos feature.
Related Documents
|
|
|
|---|---|
Security commands |
Standards
|
|
|
|---|---|
Encryption |
Data Encryption Standard (DES) |
MIBs
RFCs
|
|
|
|---|---|
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature. |
— |
Technical Assistance
Feature Information for Configuring Kerberos
Table 3 lists the features in this module and provides links to specific configuration information
Use Cisco Feature Navigator to find information about platform support and software image support. Cisco Feature Navigator enables you to determine which Cisco IOS XE software images support a specific software release, feature set, or platform. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An account on Cisco.com is not required.
Note Table 3 lists only the Cisco IOS XE software release that introduced support for a given feature in a given Cisco IOS XE software release train. Unless noted otherwise, subsequent releases of that Cisco IOS XE software release train also support that feature.
|
|
|
|
|---|---|---|
Encrypted Kerberized Telnet |
Cisco IOS XE Release 2.1 |
With Encrypted Kerberized Telnet, users are authenticated by their Kerberos credentials before a Telnet session is established. The Telnet session is encrypted using 56-bit Data Encryption Standard (DES) encryption with 64-bit Cipher Feedback (CFB). Because data sent or received is encrypted, not clear text, the integrity of the dialed router or access server can be more easily controlled. In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The following sections provide information about this feature: • • The following commands were introduced or modified: connect, and telnet. |
Kerberos V Client Support |
Cisco IOS XE Release 2.1 |
Kerberos 5 support allows organizations already deploying Kerberos 5 to use the same Kerberos authentication database on their routers that they are already using on their other network hosts (such as UNIX servers and PCs). In Cisco IOS XE Release 2.1, this feature was introduced on the Cisco ASR 1000 Series Aggregation Services Routers. The following sections provide information about this feature: • • |
CCDE, CCENT, CCSI, Cisco Eos, Cisco HealthPresence, Cisco Ironport, the Cisco logo, Cisco Lumin, Cisco Nexus, Cisco Nurse Connect, Cisco Stackpower, Cisco StadiumVision, Cisco TelePresence, Cisco Unified Computing System, Cisco WebEx, DCE, Flip Channels, Flip for Good, Flip Mino, Flip Video, Flip Video (Design), Flipshare (Design), Flip Ultra, and Welcome to the Human Network are trademarks; Changing the Way We Work, Live, Play, and Learn, Cisco Store, and Flip Gift Card are service marks; and Access Registrar, Aironet, AsyncOS, Bringing the Meeting To You, Catalyst, CCDA, CCDP, CCIE, CCIP, CCNA, CCNP, CCSP, CCVP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems logo, Cisco Unity, Collaboration Without Limitation, EtherFast, EtherSwitch, Event Center, Fast Step, Follow Me Browsing, FormShare, GigaDrive, HomeLink, Internet Quotient, IOS, iPhone, iQuick Study, IronPort, the IronPort logo, LightStream, Linksys, MediaTone, MeetingPlace, MeetingPlace Chime Sound, MGX, Networkers, Networking Academy, Network Registrar, PCNow, PIX, PowerPanels, ProConnect, ScriptShare, SenderBase, SMARTnet, Spectrum Expert, StackWise, The Fastest Way to Increase Your Internet Quotient, TransPath, WebEx, and the WebEx logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the United States and certain other countries.
All other trademarks mentioned in this document or website are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company. (0907R)
Any Internet Protocol (IP) addresses and phone numbers used in this document are not intended to be actual addresses and phone numbers. Any examples, command display output, network topology diagrams, and other figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses or phone numbers in illustrative content is unintentional and coincidental.
© 2006-2009 Cisco Systems, Inc. All rights reserved.
Feedback