diff options
| author | Russ Allbery <rra@stanford.edu> | 2007-07-19 00:04:26 +0000 |
|---|---|---|
| committer | Russ Allbery <rra@stanford.edu> | 2007-07-19 00:04:26 +0000 |
| commit | a7fc07727aeb437ddbe53c33c2dabde0a17db126 (patch) | |
| tree | 0d43cfcfeada4c00e34fe0dd15c8f3c42d2c217f /docs | |
| parent | 81ba1afddb1f008c28fad84aa4f3b80ef2de247c (diff) | |
Initial general design document.
Diffstat (limited to 'docs')
| -rw-r--r-- | docs/design | 365 |
1 files changed, 365 insertions, 0 deletions
diff --git a/docs/design b/docs/design new file mode 100644 index 0000000..dc4d05c --- /dev/null +++ b/docs/design @@ -0,0 +1,365 @@ + Wallet System Design + +Introduction + + The wallet system provides a mechanism for storing and retrieving + security-sensitive data such as system credentials and private keys + from a secure host, applying ACLs to that data, and supporting + automatic creation of certain types of security data on demand (such + as Kerberos keytabs). + + The initial implementation of the wallet is targetted at Kerberos + keytab distribution and the replacement of Stanford University's + legacy Kerberos-v4-based sysctl system for distributing srvtabs and + keytabs. After that initial implementation, additional data types + will be added. SSL certificates, ssh private keys, and database + passwords are likely early candidates. The implementation of keytabs + is described in detail below, and similar detailed designs for other + data types will be added as part of the later phases of the design. + + This design document is not entirely complete in the area of exact + protocol commands, supported arguments, and the details of the ACL + manipulation protocol. These areas of the design are still being + developed. + +Assumptions + + For the rest of this document, the term "object" will be used for a + piece of security-sensitive data stored in the wallet. The object + "metadata" is the authorization and history information around that + object. Be aware that an object "stored" in the wallet may not be + physically present on the wallet server; instead, the object may be a + type of object that can be dynamically generated on demand by the + wallet server or retrieved from elsewhere. For example, most Kerberos + keytabs stored in the wallet will exist in the wallet only in the form + of metadata and will be generated dynamically on demand when + requested. + + Wallet uses remctl for its network protocol, which provides Kerberos + v5 GSS-API authentication and encryption of all data. The rest of + this design document will assume the connection from a wallet client + to the wallet server is handled via the remctl protocol, that the + wallet server therefore knows the authenticated Kerberos principal of + the client, and that data passed between the server and the client is + encrypted. For more information about the remctl protocol, see: + + <http://www.eyrie.org/~eagle/software/remctl/protocol.html> + + remctl requires Kerberos v5 authentication, and therefore all clients + using the wallet to retrieve data will use Kerberos v5 authentication. + + We assume the wallet server is itself a secure host. Compromise of + this host will compromise all stored data it has and will allow an + attacker to perform any operation possible via the wallet. In order + to limit the effectiveness of such an attack, certain keys may be + excluded from the wallet's management purview (via kadm5.acl rules on + the KDCs, for example) and require management by Kerberos + administrators with kadmin. However, compromise of the wallet system + would have a significant security impact and the system should be + managed with the sort of security precautions as one would apply to a + Kerberos KDC. + +Server Design + + Protocol Operations + + The wallet server supports the following protocol operations on an + object: + + create Create a new wallet entry for an object + delete Delete the wallet entry for a given object + owner Set the owner of an object + acl Set the ACL on an object + flag Set or clear flags on an object + show Show the metainformation about the object + + get Retrieve the named object from the wallet + store Store the named object in the wallet + + group-add Add a principal to an ACL group + group-remove Remove a principal from an ACL group + group-list List the members of an ACL group + + The first six operations manipulate or display the metadata of the + object. The next two operations store or retrieve the object itself. + The last three operations allow manipulation of krb5-group ACLs (see + below). + + The owner and acl operations are only available to wallet + administrators. Even if one is the listed owner of an object, one may + not change the owner or ACL on that object. (This may be reconsidered + later to permit the owner to set the ACLs on an object. This design + mirrors the existing Stanford University srvtab distribution system + and is maximally conservative.) + + Objects are created with a store command, a get command on a object + type that supports data generation, or a create command (which creates + the metadata without storing any data). New objects will be created + owned by the user running get, store, or create, no special ACLs, and + no flags. Each backend can decide at its discretion whether a user + can get, store, or create an object that doesn't already exist. The + default behavior in the absence of backend-specific configuration is + to only allow wallet administrators to do so. + + ACLs + + Each ACL consists of zero or more lines, each of which has a scheme + and an identifier. Initially, three schemes will be supported: krb5, + krb5-group, and netdb. + + An ACL line of scheme krb5 will have a single fully-qualified + principal name as an identifier; only that principal will be + authorized by that ACL line. + + An ACL line of scheme krb5-group will have a group name as an + identifier. That group will have an owner and a list of Kerberos + principals. Any Kerberos principals on the list (not including the + separate owner) will be authorized by that ACL line. The owner is + itself a reference to another ACL, which may include the group for a + self-owning ACL. Anyone on the ACL referenced by the owner attribute + may list the principals in that group and add or remove a principal + from that group. + + An ACL line of scheme netdb will have an identifier naming a specific + machine. The user will be authorized if that user has a role of + "admin" or "team" for that machine. See netdb-role-api for the + specific remctl API for performing that query. + + For all ACLs, each ACL line is tried against the user principal. If + any ACL line authorizes the user, that user is authorized. If no ACL + line authorizes the user, permission to perform the operation is + refused. + + For more details and other ACL types that will be supported in the + future, see design-acl. + + There will be one general system ACL that identifies wallet + administrators, who are permitted to perform any operation. + + Metadata + + Each object stored in the wallet has the following metadata associated + with it (with examples for a keytab for + host/windlord.stanford.edu@stanford.edu that should be retrievable by + the Kerberos principal rra/root@stanford.edu): + + * The type and name of the object. The name must be unique within + that type. For example, the type would be "keytab" and the name + would be "host/windlord.stanford.edu@stanford.edu". + + * The owner of the object. The owner by default has get, store, and + show permissions on the object in the lack of more specific ACLs. + An owner is a reference to an ACL. In this case, this would be a + reference to an ACL of one line, that line having scheme "krb5" and + identifier "rra/root@stanford.edu". + + * Optional ACLs for get, store, show, delete, and flag operations. + If there is an ACL for get, store, or show, that overrides the + normal permissions of the owner. In the absence of an ACL for + delete or flag, only wallet administrators can delete an object or + set flags on that object. This entry would need no special ACLs. + + * Trace fields storing the user, remote host, and timestamp for when + this object was last created, stored, and downloaded. + + Keytab-Specific Metadata + + Objects of type keytab have one additional piece of metadata: an + optional list of enctypes for which keys should be generated for that + principal. This list can be used to restrict the Kerberos enctypes + for a particular keytab to only those supported by that application. + In the absence of a list associated with a keytab, the default enctype + list in the KDC will be used. + + Flags + + Each object can have flags set on it. Currently, the only defined + flags are: + + locked Nothing permitted regardless of ACL except show + unchanging Use existing data, don't regenerate + + The unchanging flag will only have meaning for those types where the + backend can support either generating new data or using the existing + stored data. + + History + + The wallet server will keep a history log of every operation performed + against an object, keyed by object type and name (for object changes). + A remctl interface will be provided so that wallet administrators can + query this log and see the history of a given object. + + In addition, the wallet server will log to syslog every operation + performed, not only on objects but on ACLs, Kerberos principal groups, + keytab enctype metadata, and so forth. + +Keytab Server Backend + + Basic Operation + + The keytab backend will not support the store operation, only the get + operation. Normally, a get will result in the generation of a new + keytab (possibly constrained by the list of enctypes for that keytab) + and hence the invalidation of any existing keytabs for that principal. + + The wallet server will only have kadmin ACLs to manage a specific set + of principals to prevent the wallet from being used to change core + Kerberos keys or to change user accounts. + + NetDB Default ACLs + + If a user attempts to get a keytab for which no entry had previously + been created with create and that keytab is one of a specific set of + host-bound principals as configured by the local wallet server + deployment (generally things like host/*), we will check the principal + against an ACL of scheme netdb and identifier equal to the host name + for the principal (after chasing CNAMEs). If that ACL authorizes the + user, we will automatically create a wallet entry for this host, owned + by an ACL of scheme netdb and identifier equal to the fully qualified + name of the system. This will allow anyone with NetDB ownership of + the system to manage the keytabs. + + Note that this does leave the system open to a potential attack via + DNS by spoofing a CNAME return and hence fooling the wallet into + thinking that a particular host is an alias for a host that the user + has NetDB roles to manage when it actually isn't. This attack can + only allow the user to create a keytab that doesn't already exist, + however, so the impact seems slight given the difficulty of the + attack. + + Retrieving Existing Keytabs + + The flag unchanging can be set on keytabs to indicate that, rather + than generating a new key on a get operation on that keytab object, + the existing key should be extracted from the KDC and returned. This + removes some protection around abuse of the wallet system since it + allows one to get access to an existing key without invalidating the + system key and then forge authentication to that service. + Accordingly, this flag may only be set by wallet administrators unless + a flag ACL is created on that object, and as a matter of policy it + should only be granted when there's a compelling reason for it. + + When a keytab with the unchanging flag set is retrieved with get, + rather than generating a new keytab, the wallet server requests the + current keys in keytab form from the KDC via a separate interface. + The KDC will return only keys for principals matching a set + specifically configured on the KDC. All strongly privileged keytabs + should be excluded from this (and ideally, only those keytabs known to + require caching should be listed here). The keys will be extracted + from the KDC using kadmin.local with the -norandkey option, added with + a Stanford-local patch (but expected to be in MIT Kerberos 1.7). + +Client Design + + Basic Operation + + The client will use the remctl libraries for all communication with + the wallet server. The wallet server name will be determined by a + compile-time default, overridden by configuration in krb5.conf or by a + command-line option. It should support the get, store, and show + operations (although we will skip store for the initial implementation + since it's not required for keytabs). Other wallet protocol + operations can be done via direct remctl calls or through later + additions to the client. + + When retrieving a keytab, the client should support either creating a + new keytab file or adding the keys from the downloaded keytab to an + existing keytab so that multiple keys can be merged into the same + keytab. This is useful for services that expect all their keys to be + in krb5.keytab, or for adding keys for all a host's aliases to its + krb5.keytab. + + Srvtab Generation + + For backward compatibility with a Kerberos v4 realm, the wallet + client, when downloading a keytab, should also be able to optionally + create a srvtab with the DES key extracted from that keytab (if any). + In order to get the Kerberos v4 kvno for the key (which may differ + from the Kerberos v5 kvno), it will obtain a Kerberos v4 service + ticket for that principal and extract the kvno from that service + ticket. + +Security Considerations + + System Compromise + + By its nature, the wallet is an obvious attack target target. It has + access to generate arbitrary keytabs for many different service + principals, it will eventually store a variety of high-value + privileged data, and it has to be accessible over the wallet protocol + to clients. + + This risk can be reduced by running minimal accessible services on + this system, co-located this service only with other high-security + applications if anything, and closely monitored for security issues. + In addition, the wallet should only have access on the KDC to those + principal classes that are managed by the wallet, specifically not + including any core Kerberos administrative principals, any user + accounts, and any administrator accounts. + + The system should use iptables and similar firewall mechanisms to + limit all access only to those ports providing known public services, + and there to as few IP addresses as possible. + + The wallet database should be stored locally on the system running the + wallet server and not be accessible from any other system. + + Administration of the wallet should be done over protocol. Logging on + to the wallet system should be done only in the case of emergency, + upgrade, or system maintenance and should not be done for any routine + task. + + Protocol Compromise + + The security of the wallet is dependent on the security of the + underlying remctl protocol. The remctl code has been carefully + audited for security issues and is already in widespread use and + should be treated as a core security component. + + Most communications between the wallet and the KDC are done over the + kadmin protocol, which is Kerberos-authenticated and encrypts the + network communications. The other communication with the KDC is done + via remctl. Extracting existing keys from the KDC can only be done on + the KDC using kadmin.local and access can therefore be tightly + controlled by the KDC remctl interface. + + Retrieving Existing Keytabs + + One key security concern is the wallet's ability to retrieve existing + keytabs. The normal Kerberos key management system has some built-in + defense against an attacker obtaining a keytab for a service + principal: since that invalidates the existing keytab, the attacker + will still not be able to authenticate to a service that uses that + service principal, and any authentication done by the service + principal will start failing. Compromise attacks are therefore often + converted to denial of service attacks, and it's very difficult to + launch a silent attack. + + This changes when access is granted to existing keys. An attacker who + obtains the existing keys can silently forge authentication to a + service protected by that service principal, or can silently + impersonate that service principal to other services without + interfering with normal operations. + + The unchanging flag should therefore only be set when there is a clear + need, and the backend on the KDC that allows the wallet system to + retrieve existing keys should be as restrictive as possible about + which keys can be retrieved. Using this system is, however, better + from a security standpoint than saving a copy of a keytab and + installing it as part of a build process or copying it between + multiple systems since the wallet at least maintains an audit trail of + downloads and doesn't keep a local copy of the keytab, only the means + for retrieving it. So, for example, a compromise that makes available + only the backup image of the wallet server and not its credentials + cannot obtain existing keytabs since they're not stored on its disk. + + Auditing + + The wallet server audits operations in three ways. First, an + authenticated principal, hostname, and timestamp is kept up to date + for each object for the last creation, modification, and retrieval + date for that object. Second, an audit trail is kept for all + operations on an object to allow retrieval of the complete history of + an object. Third, all wallet operations are logged to syslog and + therefore suitable for archiving, analysis, and forensics. |