directory-commits mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From build...@apache.org
Subject svn commit: r850171 - in /websites/staging/directory/trunk/content: ./ apacheds/kerberos-ug/ apacheds/kerberos-ug/images/
Date Mon, 11 Feb 2013 00:42:21 GMT
Author: buildbot
Date: Mon Feb 11 00:42:20 2013
New Revision: 850171

Log:
Staging update by buildbot for directory

Added:
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml
  (with props)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png
  (with props)
Modified:
    websites/staging/directory/trunk/content/   (props changed)
    websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html

Propchange: websites/staging/directory/trunk/content/
------------------------------------------------------------------------------
--- cms:source-revision (original)
+++ cms:source-revision Mon Feb 11 00:42:20 2013
@@ -1 +1 @@
-1444569
+1444642

Modified: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html (original)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.5-database.html Mon
Feb 11 00:42:20 2013
@@ -145,6 +145,13 @@
 </em> The Kerberos protocol
 <em> The Authentication Server
 </em> The Ticket Granting Server</p>
+<p>We will focus on the database in this section.</p>
+<h2 id="storage">Storage</h2>
+<p>We store everthing related to users, hosts and services in the LDAP base, as entries.
In order to be able to retrieve them, we have to store them in a known place in the hierarchy.
This position is fknown by the kerberos server using the 
+<strong>Search Base DN</strong> parameter.</p>
+<p>Everytime the <strong>Kerberos</strong> server received a request for
a ticket from a principal, it will do a LDAP search starting from the <strong>Search
Base DN</strong>, looking for any entry matching the filter <em>'(krb5PrincipalName=<the
principal>)'</em>. This entry should contain the Kerberos keys that will be used
to generate the ticket.</p>
+<p>One more requirement : the key as a version which allows a user to keep going with
a previous key when he just changed its password (an operation that will change the Kerberos
keys). </p>
+<p>So for an LDAP entry to be seen as a valid Kerberos entry, it has to contain a <em>Krb5PrincipalName</em>,
a <em>Krb5Key</em> and one more attribute, the <em>Krb5KeyVersionNumber</em>.</p>
 <h2 id="structure">Structure</h2>
 <p>There is an existing <strong>LDAP</strong> schema to manage the keys
and other information, named <strong>krb5kdc</strong>. It contains 3 ObjectClasses
and 15 AttributeTypes.</p>
 <p>All the ObjectClasses are auxilliary.</p>

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.6-as.html Mon Feb 11
00:42:20 2013
@@ -0,0 +1,192 @@
+<!DOCTYPE html>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+	<head>
+		<title>1.1.6 - AS (Authentication Server) &mdash; Apache Directory</title>
+		
+        <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+    	<link href="./../../css/green.css" rel="stylesheet" type="text/css">
+    
+        
+        <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+    
+        <!-- Google Analytics -->
+        <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+        <script type="text/javascript">
+            _uacct = "UA-1358462-1";
+            urchinTracker();
+        </script>
+	</head>
+	<body>
+	    <div id="container">
+            <div id="header">
+                <div id="subProjectsNavBar">
+                    <a href="./../../">
+                        
+                        Apache Directory Project
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../apacheds">
+                        
+                        <STRONG>ApacheDS</STRONG>
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../studio">
+                        
+                        Apache Directory Studio
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../api">
+                        
+                        Apache LDAP API
+                        
+                    </a>
+                </div><!-- subProjectsNavBar -->
+            </div><!-- header -->
+            <div id="content">
+                <div id="leftColumn">
+                    
+<div id="navigation">
+    
+    <h5>ApacheDS 2.0</h5>
+    <ul>
+        <li><a href="./../../apacheds/">Home</a></li>
+        <li><a href="./../../apacheds/features.html">Features</a></li>
+    </ul>
+    <h5>Downloads</h5>
+    <ul>
+        <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a>&nbsp;&nbsp;<img
src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+        <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+    </ul>
+    <h5>Documentation</h5>
+    <ul>
+        <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide
</a></li>
+        <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User
Guide</a></li>
+        <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+        <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User
Guide</a></li>
+        <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+            <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports
(e.g. JavaDocs)</a></li-->
+    </ul>
+    
+    
+    <h5>Support</h5>
+    <ul>
+        <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists &amp;
IRC</a></li>
+        <li><a href="./../../sources.html">Sources</a></li>
+        <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+        <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+    </ul>
+    <h5>Community</h5>
+    <ul>
+        <li><a href="./../../contribute.html">How to Contribute</a></li>
+        <li><a href="./../../team.html">Team</a></li>
+        <li><a href="./../../original-project-proposal.html">Original Project
Proposal</a></li>
+        <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special
Thanks</a></li>
+    </ul>
+    <h5>About Apache</h5>
+    <ul>
+        <li><a href="http://www.apache.org/">Apache</a></li>
+        <li><a href="http://www.apache.org/licenses/">License</a></li>
+        <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+        <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+        <li><a href="http://www.apache.org/security/">Security</a></li>
+    </ul>
+    <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png"
width="168" height="140"></a>
+    
+</div><!-- navigation -->
+
+                </div><!-- leftColumn -->
+                <div id="rightColumn">
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.5-database.html">1.1.5 - Database</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.7-tgs.html">1.1.7 - TGS (Ticket Granting Server)</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+<h1 id="116-as-authentication-server">1.1.6 - AS (Authentication Server)</h1>
+<p>One of the two services offered by a <strong>Kerberos</strong> server
is the Authentication Server, which is in charge to authenticate the clients, and issues a
ticket (<strong>TGT</strong>, or <em>Ticket Granting Ticket</em>)that
the user can send to the <strong>TGS</strong> to get back a service ticket.</p>
+<p><DIV class="info" markdown="1">
+The <strong>TGT</strong>, or <em>Ticket Granting Ticket</em>, is
a ticket that a client can use to get a service ticket. In fact, the <strong>AS</strong>
just consider the <strong>TGS</strong> as a standard service, and generates a
ticket for the user to access this service.
+</DIV></p>
+<p>The beauty of the <strong>AS</strong> is that it does not verify that
the client issuing a request is a valid client : it just return a tickat that an attacker
won't be able to process if it does not have the client's password.</p>
+<h2 id="exhanges-between-the-client-and-the-as">Exhanges between the client and the
AS</h2>
+<p>As we can see, for the client to get a <strong>TGT</strong>, it's just
a matter of sending a simple request, which is sent without any encryption whatsoever (some
might consider that a BER encoded message is already cryptic enough, though ;-).</p>
+<p>Here is the standard exchange :</p>
+<p><DIV align="center">
+<img alt="Kerberos Authentication with no pre-auth" src="images/kerberos-as-no-padata.png"
/>
+</DIV></p>
+<p>There is still a potential security breach in this scenario : as the server issues
a <strong>TGT</strong> to the client, containing the secret key built using the
user's password, it's potentially possible to decrypt the ticket using a brute force attack
(and this is more likely to happen as the passwords are generally weak...)</p>
+<p>Of course, as each ticket as a limited time to live, the ticket won't be valid when
the attaker will have successfully cracked the ticket, but that doesn't matter : the user's
password is now known, and a new ticket can be requested safely, giving access to the services.</p>
+<p><strong>Kerberos 5</strong> introduced a mechanism to somehow workaround
this issue : the user has to provide a proof that he is who he pretends to be. As we can see,
it defeats the premise we made : the <strong>Kerberos</strong> still want to check
the users...</p>
+<p>Note that it's an option, so if you trust your users' password strength, then you
don't need to send the server this proof.</p>
+<h3 id="pre-authentication">Pre-Authentication</h3>
+<p>Now, let's see how does a client 'proves' that he is who he pretends to be. The
protocol allows the server to ask for some proof, by the mean of asking the client to send
the server a timestamp encrypted with the user's secret key : if the server can decrypt the
timestamp using the client secret key, then that prove the client's identity, and the server
can now send the <strong>TGT</strong> This exchanged is called PreAuthentication.</p>
+<p>Here is the exchange, when  :</p>
+<p><DIV align="center">
+<img alt="Kerberos Authentication with pre-auth" src="images/kerberos-as-padata.png" />
+</DIV></p>
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.5-database.html">1.1.5 - Database</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.7-tgs.html">1.1.7 - TGS (Ticket Granting Server)</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+                </div><!-- rightColumn -->
+                <div id="endContent"></div>
+            </div><!-- content -->
+            <div id="footer">&copy; 2003-2012, <a href="http://www.apache.org">The
Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy
Policy</a><br />
+                Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio,
Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache
Directory project logos are trademarks of The Apache Software Foundation.
+            </div>
+        </div><!-- container -->
+    </body>
+</html>
\ No newline at end of file

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html
==============================================================================
--- websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html (added)
+++ websites/staging/directory/trunk/content/apacheds/kerberos-ug/1.1.7-tgs.html Mon Feb 11
00:42:20 2013
@@ -0,0 +1,180 @@
+<!DOCTYPE html>
+<!--
+    Licensed to the Apache Software Foundation (ASF) under one or more
+    contributor license agreements.  See the NOTICE file distributed with
+    this work for additional information regarding copyright ownership.
+    The ASF licenses this file to You under the Apache License, Version 2.0
+    (the "License"); you may not use this file except in compliance with
+    the License.  You may obtain a copy of the License at
+
+       http://www.apache.org/licenses/LICENSE-2.0
+
+    Unless required by applicable law or agreed to in writing, software
+    distributed under the License is distributed on an "AS IS" BASIS,
+    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+    See the License for the specific language governing permissions and
+    limitations under the License.
+-->
+<html>
+	<head>
+		<title>1.1.7 - TGS (Ticket Granting Server) &mdash; Apache Directory</title>
+		
+        <link href="./../../css/common.css" rel="stylesheet" type="text/css">
+    	<link href="./../../css/green.css" rel="stylesheet" type="text/css">
+    
+        
+        <link rel="shortcut icon" href="./../../images/server-icon_16x16.png">
+    
+        <!-- Google Analytics -->
+        <script src="http://www.google-analytics.com/urchin.js" type="text/javascript"></script>
+        <script type="text/javascript">
+            _uacct = "UA-1358462-1";
+            urchinTracker();
+        </script>
+	</head>
+	<body>
+	    <div id="container">
+            <div id="header">
+                <div id="subProjectsNavBar">
+                    <a href="./../../">
+                        
+                        Apache Directory Project
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../apacheds">
+                        
+                        <STRONG>ApacheDS</STRONG>
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../studio">
+                        
+                        Apache Directory Studio
+                        
+                    </a>
+                    &nbsp;|&nbsp;
+                    <a href="./../../api">
+                        
+                        Apache LDAP API
+                        
+                    </a>
+                </div><!-- subProjectsNavBar -->
+            </div><!-- header -->
+            <div id="content">
+                <div id="leftColumn">
+                    
+<div id="navigation">
+    
+    <h5>ApacheDS 2.0</h5>
+    <ul>
+        <li><a href="./../../apacheds/">Home</a></li>
+        <li><a href="./../../apacheds/features.html">Features</a></li>
+    </ul>
+    <h5>Downloads</h5>
+    <ul>
+        <li><a href="./../../apacheds/downloads.html">ApacheDS 2.0.0-M10</a>&nbsp;&nbsp;<img
src="./../../images/new_badge.gif" alt="" style="margin-bottom:-3px;" border="0"></li>
+        <li><a href="./../../apacheds/download-old-versions.html">Older versions</a></li>
+    </ul>
+    <h5>Documentation</h5>
+    <ul>
+        <li><a href="./../../apacheds/basic-user-guide.html">Basic User Guide
</a></li>
+        <li><a href="./../../apacheds/advanced-user-guide.html">Advanced User
Guide</a></li>
+        <li><a href="./../../apacheds/developer-guide.html">Developer Guide</a></li>
+        <li><a href="./../../apacheds/kerberos-user-guide.html">Kerberos User
Guide</a></li>
+        <li><a href="./../../apacheds/configuration/ads-2.0-configuration.html">Configuration</a></li>
+            <!--li><a href="./../../apacheds/gen-docs/latest">Generated Reports
(e.g. JavaDocs)</a></li-->
+    </ul>
+    
+    
+    <h5>Support</h5>
+    <ul>
+        <li><a href="./../../mailing-lists-and-irc.html">Mailing Lists &amp;
IRC</a></li>
+        <li><a href="./../../sources.html">Sources</a></li>
+        <li><a href="./../../issue-tracking.html">Issue Tracking</a></li>
+        <li><a href="./../../commercial-support.html">Commercial Support</a></li>
+    </ul>
+    <h5>Community</h5>
+    <ul>
+        <li><a href="./../../contribute.html">How to Contribute</a></li>
+        <li><a href="./../../team.html">Team</a></li>
+        <li><a href="./../../original-project-proposal.html">Original Project
Proposal</a></li>
+        <li><a href="./../../special-thanks.html" class="external-link" rel="nofollow">Special
Thanks</a></li>
+    </ul>
+    <h5>About Apache</h5>
+    <ul>
+        <li><a href="http://www.apache.org/">Apache</a></li>
+        <li><a href="http://www.apache.org/licenses/">License</a></li>
+        <li><a href="http://www.apache.org/foundation/sponsorship.html">Sponsorship</a></li>
+        <li><a href="http://www.apache.org/foundation/thanks.html">Thanks</a></li>
+        <li><a href="http://www.apache.org/security/">Security</a></li>
+    </ul>
+    <a href="http://acna13.eventbrite.com/?ref=ecount"><img src="http://holdenweb.com/static/images/BannerSquareSmall.png"
width="168" height="140"></a>
+    
+</div><!-- navigation -->
+
+                </div><!-- leftColumn -->
+                <div id="rightColumn">
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.6-as.html">1.1.6 - As (Authentication Server)</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.8-tickets.html">1.1.8 - Tickets</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+<h1 id="117-tgs-ticket-granting-server">1.1.7 - TGS (Ticket Granting Server)</h1>
+<p>The second major service is the <strong>Ticket Granting Server</strong>,
which is the service that delivers tickets for all the managed services to the users.</p>
+<p>A client can access to this service fater having been authenticated - ie, after
having received a ticket allowing it to access the <strong>TGS</strong> from the
<strong>AS</strong> -.</p>
+<p>At this point, all the exchanges are encrypted using the user session key. </p>
+<p>Ther  is not too much to tell about this service, except that ach request sent by
the client contains the targeted service principal name, and the ticket issued by the <strong>AS</strong>.</p>
+<h2 id="how-it-works">How it works ?</h2>
+<p>When the <strong>TGS</strong> receives a request, it will read the ticket
contained in the request, and will validate it. If the ticket has been issued by the <strong>AS</strong>,
then the <strong>TGS</strong> has the <strong>AS</strong> secret key
and can decrypt the ticket, otherwise it's potentially a forged ticket, and it will be discarded.</p>
+<p>The <strong>TGS</strong> then generate a ticket for the targted service,
and enncryt it using the service's secret key, then encapsulate this encypted ticket into
a response which will be itself encrypted using the client's secret key.</p>
+<p>The client will receive this response, will decrypt it and extract the encypted
ticket, and will send this encrypted ticket to the targeted service, which will be able to
decrypt it and validate it.</p>
+<p>Of course, in the mean time, many checks will be done relative to the ticket validity,
so one can be assured that the service is only accessible by those with the credential to
do so.</p>
+
+
+    <div class="nav">
+        <div class="nav_prev">
+        
+            <a href="1.1.6-as.html">1.1.6 - As (Authentication Server)</a>
+		
+        </div>
+        <div class="nav_up">
+        
+            <a href="1.1-introduction.html">1.1 - Introduction</a>
+		
+        </div>
+        <div class="nav_next">
+        
+            <a href="1.1.8-tickets.html">1.1.8 - Tickets</a>
+		
+        </div>
+        <div class="clearfix"></div>
+    </div>
+
+
+                </div><!-- rightColumn -->
+                <div id="endContent"></div>
+            </div><!-- content -->
+            <div id="footer">&copy; 2003-2012, <a href="http://www.apache.org">The
Apache Software Foundation</a> - <a href="./../../privacy-policy.html">Privacy
Policy</a><br />
+                Apache Directory, ApacheDS, Apache Directory Server, Apache Directory Studio,
Apache LDAP API, Apache Triplesec, Triplesec, Apache, the Apache feather logo, and the Apache
Directory project logos are trademarks of The Apache Software Foundation.
+            </div>
+        </div><!-- container -->
+    </body>
+</html>
\ No newline at end of file

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.graphml
------------------------------------------------------------------------------
    svn:mime-type = application/xml

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-no-padata.png
------------------------------------------------------------------------------
    svn:mime-type = image/png

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.graphml
------------------------------------------------------------------------------
    svn:mime-type = application/xml

Added: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png
==============================================================================
Binary file - no diff available.

Propchange: websites/staging/directory/trunk/content/apacheds/kerberos-ug/images/kerberos-as-padata.png
------------------------------------------------------------------------------
    svn:mime-type = image/png



Mime
View raw message