Re: Authentication via PKI

Douglas E. Engert Mon, 27 Mar 2000 04:30:52 +0200 (MET DST)


Steve Lammert wrote:
> 
> I've been away from AFS admin issues for several years, and wonder if
> there has been any recent work on public-key interchange and AFS
> authentication.
> 

Yes, based on using Kerberos 5 and GSSAPI in the middle. 

> Our situation:  we use SSH to replace the normal telnet/ftp/rcp/rsh
> operations between our sites.  SSH can do normal password
> authentication, but it can also authenticate via PKI, which is
> particularly useful for a variety of reasons (e.g. batch or cron jobs).
>

We also have a GSSAPI which uses SSL and X509 certificates and a
companion program sslk5 which is similiar to PK_INIT. SSLK5 can issue
a Kerberos V5 ticket based on SSL authenticiton. the K5 ticket can
then be turned into an AFS token using ak5log and krb524d. 

We also have mods to ssh-1.2.27 which use GSSAPI as an authentication
method. 

So I can start from Smartcard with my X509 certificate and key, 
delegate to my PC, use SecureCRT (ssh client for Win32 from VanDyke) which
has the GSSAPI, to contact the sshd runing on Unix, which uses sslk5 and ak5log
to get a AFS token. (DCE context too!) 


Things to look at:

  http://www.globus.org/security for the GSI (GSSAPI over SSL) and the 
  ssh-1.2.27 mods. 

  ftp://achilles.ctd.anl.gov/pub/kerberos.v5 for the SSLK5, mods to K5
  and ak5log. 

> I think that some versions of sshd have a PAM hook, so I can see how to
> make it work for password-based authentication if we have the AFS PAM
> installed...
> 
> ... but has anyone done any work with AFS and/or Kerberos and/or SSH to
> make it use keys for authentication?  I.e. store one's public key in the
> Kerberos database instead of an encrypted password, and authenticate by
> sending a string encrypted with the private key stored on one's local
> disk?  Or alternatively, has anyone modified SSH to use a local Kerberos
> token to authenticate at the remote machine, as for authenticating
> rsh/rcp?

I would say yes, but using certificate chains and SSL, which provide better key
management, is in more main stream then the public key in ssh. 

Ther eis also the PK_INIT for Kerberos v5, but this is not widly implemeted
yet. The SSLK5 above is fuctionally equivelent. 

> 
> Am I making sense?
> 
> Thanks,
> S
> 
> --
> steve lammert         unix administrator   voice: +1-412-471-7500 x4712
> [EMAIL PROTECTED]   Be Free, Inc.          fax: +1-412-471-9840

-- 

 Douglas E. Engert  <[EMAIL PROTECTED]>
 Argonne National Laboratory
 9700 South Cass Avenue
 Argonne, Illinois  60439 
 (630) 252-5444
Re: Authentication via PKI

Reply via email to
