[OpenAFS] Re: authenticating using AD servers hidden behind firewall

Douglas E. Engert deengert@anl.gov
Fri, 08 Jun 2012 13:32:22 -0500

On 6/7/2012 8:28 PM, Jeffrey Altman wrote:
> On 6/7/2012 9:09 PM, John Tang Boyland wrote:
>> Our institution uses "Shibboleth" for off campus authentication,
>> since it keeps the AD (and thus kerberos) servers hidden behind
>> a firewall.  Does anyone know how to have OpenAFS use Shibboleth
>> for authentication?
>> John

We too are part of InCommon running a Shibboleth IDP, but our
AD KDCs are not accessible from offsite, (and neither is AFS)
accept via VPN.

There are some security questions to be asked, before one would
want to use Shibboleth to authenticate to AFS.

Your security people must have some policy in place to require the
KDC to be behind a firewall, as the tickets can be used for
login, access to shared data in the Domain, or AFS cell. Having
this low level access from off site may present a security risk they
are not willing to take.

They may be willing to allow users from off site to authenticat via
Shibboleth since it is designed to be for access to services, where
the user does not require a Unix, Kerberos, AD or local account,
and access is to a limited amount of data controlled by the web server.

Allowing Shibboleth to hand out Kerberos tickets or tokens, might
give too easy access to to much inside data.

(And I assume that in your environment, you would only allow AFS access
to users authenticating using your umw IDP. Shibboleth used in a
Federation would allow users form other federation members to
to their own IDP.)

> John:
> What you need is an implementation of GSS IAKERB
>    https://tools.ietf.org/html/draft-ietf-krb-wg-iakerb-02
> as part of Doug Engert's gssklogd.  I don't believe there is an open
> source implementation of it yet.

Thar could work, if these was an implementation.

> Jeffrey Altman


  Douglas E. Engert  <DEEngert@anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444