Re: Kerberos and DIGEST-MD5

[Jose Gonzalez Gomez <jgonzalez@opentechnet.com>]

Howard Chu wrote:

> Jose Gonzalez Gomez wrote:
>
> >    Hi there,
> >
> >    I've been searching the web and the mailing list for a solution to 
> > this but haven't been able to find an answer. Sorry if this has been 
> > answered before...
> >
> >    I have managed to install an authentication server using mit-krb5 
> > 1.3.3, cyrus-sasl 2.1.18 and openldap 2.1.26. Right now I'm able to 
> > authenticate any user on my network using pam/nss accessing Kerberos 
> > and OpenLDAP, so in order for an user to login she must have a 
> > corresponding Kerberos principal and a LDAP entry with 
> > objectClass=posixAccount (among others). I'm also able to 
> > authenticate to LDAP using GSSAPI/Kerberos, and simple BIND using 
> > {SASL}user@REALM in the userPassword attribute (as it seems that the 
> > {KERBEROS} way is deprecated) checking the password against 
> > saslauthd/Kerberos database.
> >
> >    So what's the problem? It seems that to build a LDAPv3 compliant 
> > server I must provide DIGEST-MD5 authentication to the LDAP server, 
> > and this is what I don't know how to achieve in a clean manner. In 
> > order to have DIGEST-MD5 working I must have a clear text password 
> > stored somewhere (correct me if I'm wrong), but it seems that 
> > Kerberos doesn't have it, or I don't know how to use it in the 
> > DIGEST-MD5 authentication process. It seems that Cyrus SASL *does 
> > need* this password stored in its sasldb2 database to be able to 
> > successfully offer DIGEST-MD5, but this would mean that I'd have 
> > duplicated information and I'd have to sync both databases (Kerberos 
> > and SASL) whenever a password change occurs. So, am I missing 
> > anything here? Is there any clean solution for this?
>
>
> I believe you already received an answer to this question on the 
> cyrus-sasl mailing list.

   Sorry for any inconvenience... after posting here I thought that 
maybe this could be off topic, so I wrote the same question on the 
cyrus-sasl list, that seemed more appropiate. Anyway, the answers I'm 
receiving here are more helpful until the moment.

> The cleanest way to make this work is to use Heimdal Kerberos and set 
> its KDC to store the Kerberos authentication data in LDAP. Then use 
> the smbk5pwd module in OpenLDAP's CVS to keep the userPassword and 
> krb5Key in sync. Synchronization is one-way - when you change 
> passwords using LDAP then both LDAP and Kerberos will be updated at 
> once, but if you change passwords using Kerberos only Kerberos will 
> change. Note that this approach only works with OpenLDAP 2.2 and 
> Heimdal Kerberos. Also there is no need to use saslauthd when using 
> this method; the LDAP userPassword simply holds the user's cleartext 
> password. Obviously there are other security considerations from 
> storing a cleartext password in LDAP.

   So you gain the ability to offer DIGEST-MD5 authentication without 
having duplicated password information, but then you lose the 
possibility of letting users change their passwords using the standard 
unix/linux/kerberos tools. The first obvious implication of this 
approach is that you will have a hard time trying to enforce any 
password policy in your network, as this usually involves an expired 
password that must be changed at logon time using pam, and enforcing the 
quality of the password using kerberos policies... am I missing anything 
here? Should I use a combination of cracklib/ldap modules for password 
and kerberos modules for auth/account/session in pam? Would such a setup 
work?

   Regarding the smbk5pwd... will this be included in a future release 
of OpenLDAP? And a final question regarding Kerberos... until now I've 
been using mit-krb5, do you recommend heimdal over mit for any reason?

   Thanks a lot, best regards
   Jose