[Freeipa-users] Understanding role of the certificate in client - server communication.
Alexander Bokovoy
abokovoy at redhat.com
Fri Mar 28 15:07:54 UTC 2014
On Fri, 28 Mar 2014, Genadi Postrilko wrote:
>Thank you for the answer.
>Is the communication between IPA Client and Server HTTPS based? not just
>SSL over TCP?
Depends on the protocol being used.
You really need to go and look per protocol.
For example:
HTTPS is used only when you are using IPA's Web UI or when IPA command
line utilities ('ipa ...') are in use. Day to day work on IPA clients is
usually handled by SSSD.
SSSD processes talk Kerberos and LDAP to IPA server.
Kerberos is using own protocol (Kerberos) over TCP and/or UDP. Note that
Kerberos communications differ depending on the mode of operation and in
most cases include both integrity and confidentiality services where
needed.
LDAP is done with Kerberos authentication and TLS use within LDAP
protocol over TCP.
>So is Kerberos? Does it have to be over HTTP? or its purely over TCP/UDP?
Kerberos does not go over HTTP. You can use Kerberos to negotiate over HTTPS
but this is only for specific cases when someone is talking to
a kerberized web-service, like IPA's Web UI or its XML-RPC end point.
We didn't redefine any of the existing protocols for that. There are
already tools and means to achieve secure communication channels and we
are (carefully) using them for greater good.
>2014-03-19 10:56 GMT+02:00 Alexander Bokovoy <abokovoy at redhat.com>:
>
>> On Wed, 19 Mar 2014, Genadi Postrilko wrote:
>>
>>> Thank you for the answer.
>>> Sory if i lack the knowledge, but why SSL is needed when using kerberos?
>>> Kerberos is based on 3th party that is trusted, why there is a need for
>>> public key encryption?
>>>
>> Using Kerberos only, without asking for integrity and confidentiality
>> services, without channel bindings to the outer encryption, is prone to
>> MITM even with valid TLS channels.
>>
>> Use of certificates allows to perform mutual authentication at the SSL
>> level and later perform channel bindings of the tunnelled Kerberos
>> communication.
>>
>> Note that Kerberos over HTTP is weak without transport level security.
>> HTTP authentication per se is independent of the transport.
>>
>> For more details you can look at Joe Orton's talk at ApacheCon'2008:
>> http://www.apachecon.com/eu2008/program/materials/kerb-sso-http.pdf
>> --
>> / Alexander Bokovoy
>>
--
/ Alexander Bokovoy
More information about the Freeipa-users
mailing list