Adapting Kerberos for Use with the Globus Toolkit - PowerPoint PPT Presentation

1 / 24

About This Presentation

Title:

Adapting Kerberos for Use with the Globus Toolkit

Description:

... modifications Sandia made to their libraries, ERDC added the functionality to ... Kerberos GSS API and Kerberos libraries will be necessary to maintain ... – PowerPoint PPT presentation

Number of Views:44

Avg rating:3.0/5.0

Slides: 25

Provided by: chembi

Category:

more less

Transcript and Presenter's Notes

Title: Adapting Kerberos for Use with the Globus Toolkit

1
Adapting Kerberos for Use with the Globus Toolkit
Daniel Duffy, Jerry Morris, Timothy Dunaway ERDC
MSRC Wilbur Johnson, Patrick Moore Sandia
National Laboratories
2
Outline

Introduction to Grid Computing in the Department
of Defense
Kerberos and the HPCMP Security Environment
The Globus Toolkit
Globus Toolkit version 1.1.3
Sample Run Using Globus
Modifications to Kerberos
Delegate Credentials
Acquire an Initiator/Acceptor Credential
User-to-User Authentication
Future Modifications
Conclusions

3
The Vision of the DoD Grid
Compaq SC40/SC45
Origin 3800
Cray T3E
to every resource.
From any desktop
4
The Ultimate Goal DoD Grid
UsersDesktop
GSSAPI /Kerberos Secure gridconnections.
GSSAPI /Kerberos Secure gridconnections.
DoDResources
Local GridServer

Web-Based Monitoringresource, queue, and job
status

Workflow Manager
Globus MDS (LDAP)
Globus Toolkit Job submission

Resources run Globus ResourceAllocation Manager
(GRAM) clientson their respective front-end
machines.
The Globus Toolkit is provided byArgonne
National Laboratory andthe University of
California.

5
The Globus Toolkit

A software toolkit addressing key technical
problems
Offer a modular bag of technologies
Enable incremental development of grid-enabled
tools and applications
Define and standardize grid protocols and APIs
Focus is on inter-domain issues, not clustering
Supports collaborative resource use spanning
multiple organizations
Integrates cleanly with intra-domain services
Creates a collective service layer

6
Layered Architecture
7
DoD Security Infrastructure

Authentication is based on Kerberos V5
Mandated by the DoD HPCMP Office
Uses Public Source (i.e., MIT) KDCs
Cross-realm trust between sites
Cross-realm shared secret keys
Based on formal Inter-Site Security Assurance
Agreements.
Each site agrees to immediately inactivate
accounts of terminated or misbehaving users.
Remote Access
K5 authentication with SSH/SCP
Basic Authentication with SSL and K5 Passwords
K5 GSS-FTP

8
Kerberos versus Globus Security Interface (GSI)

Private Keys
Third party (Key Distribution Center) contact by
client is required, account revocations
automatically checked.
Mature IETF standard with stable respected public
source
Centralized Trust Management
Mandated and deployed by the DoD HPCMP.

Public Key Infrastructure
Third party (Certificate Revocation List) contact
by server and client only required if you need
assurance against revocation.
Based on mature IETF standard (SSL/TLS) with
stable respected public source.
Allows distributed trust management.
In use by many commercial and academic
institutions.
The probable security infrastructure for the
global grid.

9
Solution Globus Toolkit is based on GSS API

The Generic Security Services Application
Programming Interface (GSS API) is an IETF
standard generalization used by applications to
establish an authenticated and protected
communication between two parties.
Language neutral
Separate RFCs for language bindings (C, Java)
Protocol and mechanism neutral
Separate RFCs for specific implementations
(Kerberos V5)
Initiator and acceptor may be peers
Assumes that processes have secure access to a
credential
GSS API provides no interfaces for user sign-on
Some implementations support forwarding some sort
of delegated credential

10
Grid Infrastructure Layers
Secure Grid Applications
Key
Kerberos
Globus
Applications
KSSH
Kerberos 5 Libraries
11
globusrun
client
Grid Resource Machine
12
Modifying Kerberos
MIT 1.2

Significant Effort Three man months invested to
date!
Based on the modifications Sandia made to their
libraries, ERDC added the functionality to the
NRL version of Kerberos necessary to run Globus.

DOE 1.1.0
NRL 1.0.6
13
Terminology

Initiator
The process that begins the creation of a secure
context. In a typical globusrun, the jobmanager
is an initiator of a secure context, and yet, the
jobmanager is running on the remote host.
Acceptor
The process that receives and accepts the secure
context. The globusrun issued on a users desktop
will attempt to accept a secure context from the
jobmanager.

14
Exporting Delegate Credential

GSSAPI has no interface for exporting a
delegated credential
Gatekeeper gets a delegated credential
handle, and needs to fork a jobmanager that
can use it.
GSS API would say this is mechanism specific
functionality, and does not currently support it.
Doug Engert (Argonne National Laboratory) came up
with an interim solution for Globus that works
for both GSI and Kerberos.

15
Interim Solution

Modify the gss_export_context routine to copy the
cache to /tmp on the remote machine.
This is triggered by the minor_status (normally
just an output parameter) being set on input to
0xDEE0.
Upon success, minor_status is set to 0xDEE1.
This interim solution was added to the DoD
Kerberos.
The Global Grid Forum (www.gridforum.org)
Security WG is designing a more permanent GSS API
extension.

16
Acquire an Initiator/Acceptor Credential

Currently, the MIT version of
Kerberos does not support this
and assumes only the following
The initiators of a context are always user
processes
with a credential cache obtained from a recent
kinit.
Acceptors of a context are services that have
access
to a machines keytab file.
Hence, there is no need in the current version of
Kerberos to allow a spawned process to acquire
the newly created cache file.

17
Solution

Modified the gss_acquire_cred routine to
recognize that when a secure connection is to be
established, this routine will do one of the
following
Always retrieve a keytab credential if one is
available (this allows for a longer lived key),
or
Retrieve a cached credential that has been
delegated to a file.
Make sure that the keytab files permissions are
set correctly, otherwise the jobmanager running
as the user will try to use it.

18
Motivation for User-to-User Authentication

Distributed Grid Services are based on job
processes that run with forwarded delegated GSS
API credentials.
Processes running with user credentials open
secure sessions with other processes that also
run with user credentials.
Globus (www.globus.org) is such a service, and is
built upon a GSS API authentication layer.

19
User-to-User Authentication

Globus requires that user credentials
be used by a GSS API Acceptor.
Kerberos GSS API assumes that acceptors are
always services, with access to service
principals key.
Both the jobmanager running on the remote machine
and the globusrun executed on the users desktop
run as user and must establish a secure Kerberos
context.

20
User-to-User Authentication

Mechanisms for Kerberos user-to-user existed, but
no GSS API protocol.
Michael Swift at Microsoft had an IETF draft
describing a GSS API-like user-to-user handshake
in Win2K.
Swift, M., Brezak, J., Moore, P., User to User
Kerberos Authentication using GSS-API (March
2001)
http//www.ietf.org/internet-drafts/draft-swift-wi
n2k-krb-user2user-02.txt
This method of the User-to-User handshake was
implemented in the DoD Kerberos.

21
Status of all the Kerberos Modifications

It Works!
Tested the Modified Code
gss-client/gss-server
Most other clients and servers
AIX, IRIX, Solaris, Linux
Globusrun and other Globus Toolkit Utilities
Diffs with respect to the NRL base line have been
sent back to Ken Hornstein.
No clearly defined method of certifying and
implementing these changes into future NRL
distributions of Kerberos!

22
Conclusions

Kerberos can be used in a secure grid computing
environment!
GSI may not be an option at some sites.
It certainly was not for the creation of a
prototype in the DoD.
GSSAPI is not plug-and-play, but did make it
possible to use the Globus Toolkit.
Future modifications of the Kerberos GSS API and
Kerberos libraries will be necessary to maintain
compatibility with the Globus Toolkit.
Who will do these modifications?
The Globus and GSI developers should be
acknowledged for a well designed, portable
security layer
Doug Engert, Steve Tuecke, Von Welsh (Argonne
National Laboratories)
The Sandia National Laboratories Grid Services
Group were the first to both implement the
necessary changes to the Kerberos libraries and
to modify the Globus Toolkit to work with
Kerberos.
Wilbur Johnson, Patrick Moore, and others.

23
Acknowledgements

The Globus and GSI developers should be
acknowledged for a well designed, portable
security layer
Doug Engert, Steve Tuecke, Von Welsh (Argonne
National Laboratories)
The Sandia National Laboratories Grid Services
Group was the first to both implement the
necessary changes to the Kerberos libraries and
to modify the Globus Toolkit to work with
Kerberos.
Wilbur Johnson, Patrick Moore, and others.
ERDC MSRC
Tim Dunaway, Jeff Hensley, Greg Rottman, Jerry
Morris, and Steve Turnbull
ASC MSRC
Tony DelSorbo, Bill Zilliox, John Sprinkle
Aram Kevorkian, Chair of the MCWG

24
References
rfc1510 J. Kohl, J., C. Neuman, C., The
Kerberos Network Authentication Service(V5),
IETF RFC 1510. 1993. http//www.ietf.org/rfc/rfc15
10 rfc2743 Linn, J. Generic Security Service
Application Program Interface Version 2, Update
1, IETF, RFC 2743, 2000. http//www.ietf.org/rfc/r
fc2743. rfc2744 Wray, J.,. Generic Security
Service API Version 2, C-Bindings. IETF, RFC
2744, 2000. http//www.ietf.org/rfc/rfc2744. Swi
01 Swift, M., Brezak, J., Moore, P., User to
User Kerberos Authentication using GSS-API. (work
in progress, March 2001) http//www.ietf.org/inter
net-drafts/draft-swift-win2k-krb-user2user-02.txt

25
The Current DoD Grid Group