[ Team LiB ] [ Team LiB ]

Chapter 9. Case Study

In the previous eight chapters, we examined the technical details behind the Kerberos system, and how to implement Kerberos in your network. Now, in this chapter, we will take a step back and examine a hypothetical organization that wants to implement a network-wide single-sign-on solution. This organization has chosen to use Kerberos. We describe the decision process as the necessary Kerberos realms are created and implemented. The example includes many of the decision processes that apply to organizations implementing Kerberos in their own networks. [ Team LiB ] [ Team LiB ]

9.1 The Organization

The fictitious organization that well use for our example is the Sample Internet Service Provider, a prominent provider of local dial-up, T1, and DSL service in the Anytown area. The Sample ISP has an internal network with two major divisions in its IT organization. One division of the IT organization provides end user support and services to the Windows desktops and servers. This department administers the company email server, which runs Microsoft Exchange, and has a Windows 2000 Active Directory system already in place to handle user logins on the Windows network. The second IT department administers the backend Unix systems, most notably a large bank of web-hosting machines running Linux and Apache. In addition, the Sample ISP has a small testing and staging laboratory where new software is tested before deployment. The Unix systems currently do not have a centralized authentication system in place; there is a mishmash of etcpasswd files, htpasswd files, and password hashes stored in a MySQL database that handle the current authentication needs. The current setup has some serious problems from a manageability standpoint. Adding or removing users on the Unix machines is a tedious process that involves logging into each machine separately and adding or removing an entry from the local machines etcpasswd file. In addition, the lack of synchronization between the Unix machines means that users have separate passwords for each machine they have access to. As a result, the Sample ISP has many stale passwd files on its machines, some containing entries for users who should no longer have access. To solve the authentication problems, an infrastructure should be established that centralizes the administration of the user authentication information. In addition to centralizing the authentication information for the Unix systems, management has decided to establish a cross-platform single-sign-on system so that staff can login once via their desktop Windows systems and then be able to transparently authenticate to any other system, whether Windows- or Unix-based. Of course, Kerberos is chosen to provide this capability. More specifically, Kerberos v5, as it is the latest revision of the Kerberos protocol and provides compatibility with the existing Windows 2000 Active Directory setup. Right now, the only applications that the Sample ISP is planning to kerberize are remote login to the Unix machines as well as some X-Windows applications that the support and network operations staff run on a regular basis. [ Team LiB ] [ Team LiB ]