1 / 10

Securing mail access with Kerberos and SSL

Securing mail access with Kerberos and SSL. Wolfgang Friebel DESY. Motivation. User authentication at our site is based on Kerberos Nearly all services made Kerberos aware (xdm, ftp,...) IMAP4 with the UW imapd was not kerberized Clear text passwords were sent for imapd auth

martha
Télécharger la présentation

Securing mail access with Kerberos and SSL

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Securing mail access with Kerberos and SSL Wolfgang Friebel DESY HEPNT/HEPiX meeting Oct 6, 1999

  2. Motivation User authentication at our site is based on Kerberos Nearly all services made Kerberos aware (xdm, ftp,...) IMAP4 with the UW imapd was not kerberized Clear text passwords were sent for imapd auth Had to maintain UNIX passwords because of imapd HEPNT/HEPiX meeting Oct 6, 1999

  3. Goals Stay with the present imapd server (UW) Get rid of clear text passwords by using imapd with SSL: • encrypting the communication Get rid of UNIX passwords by using imapd with Kerberos: • check password against Kerberos or • sending encrypted data to authenticate HEPNT/HEPiX meeting Oct 6, 1999

  4. Solution 1: Authentication with Kerberos Make use of the PAM support on several platforms • link imapd including the pam library Advantages: • no source code modification required • encrypted UNIX password no longer needed Disadvantage: • Passwords go in clear over the line HEPNT/HEPiX meeting Oct 6, 1999

  5. Solution 2: Making imapd Kerberos aware • imapd / pine comes with client side Kerberos support • server side support added by Michael Matz • compiled pine and imapd with Kerberos authenticator Advantage: • no password required with valid token Disadvantages: • Clear password transmission without valid token • no other Kerberos aware clients except pine HEPNT/HEPiX meeting Oct 6, 1999

  6. Solution 3: Accepting SSL connections • Made imapd SSL aware by replacing the socket read and write calls (recipe by Andy Polyakov, appro@fy.chalmers.se) • Separate server listening on port 993 • Is known to work at least on Solaris • Requires a certificate authority Advantages: • works with Netscape, Internet explorer • no longer any clear text passwords Disadvantages: • lacking SSL support in pine, wrapper required • speed, whole session gets encrypted HEPNT/HEPiX meeting Oct 6, 1999

  7. Alternate solutions for SSL support • Use unmodified imapd and unmodified clients with available wrappers, e.g: • stunnel • bjorb • wrapssl Advantage: • ease of installation Disadvantage: • Wrappers (daemons) required on each host HEPNT/HEPiX meeting Oct 6, 1999

  8. Our final solution: Kerberos and SSL • Two running servers: • kerberized imapd on port 143 • SSL aware kerberized imapd on port 993 • Kerberos aware client: pine • SSL aware clients: Netscape and Internet Explorer • pine made SSL aware by Michael Matz (9/99) HEPNT/HEPiX meeting Oct 6, 1999

  9. Conclusions • Reached our goals • Kerberized imapd used at Zeuthen since 8/99 • Hamburg will follow, if test phase successful • SSL aware pine (pinessl or spine) comes next • Patches available HEPNT/HEPiX meeting Oct 6, 1999

  10. Resources • imapd with SSL: http://fy.chalmers.se/~appro/ssl_inetd.htm • pine with SSL: ftp://ftp.ifh.de/pub/unix/mail/pine4.10-ssl.diff.gz • kerberized imapd: ftp://ftp.ifh.de/pub/unix/mail/imap-4.6-kerberos.diff.tgz • stunnel: http://mike.daewoo.com.pl/computer/stunnel • bjorb: http://www.hitachi-ms.co.jp/bjorb/en/ HEPNT/HEPiX meeting Oct 6, 1999

More Related