Best practice for authenticating DMZ against AD in LAN
If you're using PAM for your authentication stack, you can use pam_krb5 to provide kerberos authentication for your services. Kerberos was designed out-of-the-box to deal with hostile environments, handles authentication-by-proxy, and is already a part of the AD spec. Why struggle with LDAP when you can get Kerberos to do the heavy lifting for you, and get on with life? Yeah, you'll have to do some reading, and yeah, it'll take a bit of time, but I've used Kerb-to-AD authentication for years and have found it to be the easiest, quickest way to get SSO working out of the box when you have Active Directory as the authentication backend.
The main thing you'll run into is that Microsoft decided to be very specific about the default encryption types (they basically made their own), so you'll need to set up your Kerberos clients to have the correct matching encryption types, or the AD servers will continue to reject it. This is thankfully an easy procedure and shouldn't require more than a few edits to krb5.conf.
And now, some links for you to consider...
Microsoft's View of Kerberos
Meshing Kerberos and Active Directory
ssh and Kerberos authentication via PAM
Apache and Kerberos
- mod_auth_kerb via SourceForge
- Providing Active Directory authentication via Kerberos protocol in Apache
ProFTP and Kerberos
- ProFTPD module mod_gss also via SourceForge
RFCs of Microsoft's Activities with Kerberos (which you really don't want to read about):
- RFC3244 Microsoft Windows 2000 Kerberos Change Password and Set Password Protocols
- RFC4757 The RC4-HMAC Kerberos Encryption Types Used by Microsoft Windows
Sergei
Updated on September 17, 2022Comments
-
Sergei almost 2 years
We have few customer facing servers in DMZ that also have user accounts , all accounts are in shadow password file. I am trying to consolidate user logons and thinking about letting LAN users to authenticate against Active Directory.Services needing authentication are Apache, Proftpd and ssh. After consulting security team I have setup authentication DMZ that has LDAPS proxy that in turn contacts another LDAPS proxy (proxy2) in LAN and this one passes authentication info via LDAP (as LDAP bind) to AD controller.Second LDAP proxy only needed because AD server refuses speak TLS with our secure LDAP implemetation. This works for Apache using appropriate module.At a later stage I may try to move customer accounts from servers to LDAP proxy so they are not scattered around servers.
For SSH I joined proxy2 to Windows domain so users can logon using their windows credentials.Then I created ssh keys and copied them to DMZ servers using ssh-copy, to enable passwordless logon once users are authenticated.
Is this a good way to implement this kind of SSO?Did I miss any security issues here or maybe there is a better way ofachieving my goal?
-
Govindarajulu almost 15 years+1 Kerberos is the way to go.
-
Sergei almost 15 yearsThank you Avery,I did look at kerboros,and it is sort of implemeted in the setup.Proxy2 is a linux box joined to windows kerberos realm - so AD users can authenticate to proxy2 logging on via ssh which uses pam winbind and then logon to DMZ servres using public keys created by me.This of course requires local users on DMZ servers to be precreated. The reasons of not joining DMZ servers to Winows realm is that security team said I must have intermediate DMZ with server that proxsies auth requests.I could not find ways to proxy kerberos requests so LDAPS it is...
-
Sergei almost 15 yearsMaybe security team is too paranoid and it is a common practice to make DMZ authentication to use AD without this intermediate DMZ - this is what I am trying to find out...
-
Avery Payne almost 15 yearsIf you can control traffic to your DMZ, then you can control traffic /flows/ inside of it. This is how I handle exposed DMZ services - traffic originating from the outside is heavily filtered and only has access to specific ports, traffic within the DMZ sees everything inside the DMZ (but not everything internally), and traffic internally can see both the outside and the DMZ. Attackers on the outside can't get to internal services and can only see the ports of specific services hosted inside the DMZ. But DMZ computers can clearly see each other - including any proxy services.
-
Sergei almost 15 yearsSo when you say "including proxy services" do you mean proxy servre that can pass over kerberos requests too?I am just trying to please our security team.Their policy is that we must have intermediate DMZ that contains authentication proxy in order to pass authentication traffic from DMZ to LAN.
-
Avery Payne almost 15 yearsWith the right setup, Kerberos authentication will "proxy" itself, i.e. the server facing the DMZ can be made to contact the (interior) KDC that holds the "keys to the kingdom". This requires a bit of setup but it can be done
-
Sergei almost 15 yearsSo this setup is possible: [LAN - AD controller ( kerberos server)] <-> [secure DMZ - other kerberos server in same realm ] <-> [real DMZ - ssh krb]
-
Sergei almost 15 yearsI must say I don't have control over AD DC and cannot even request to have anything done on those servers so my options can be very limited here.I suspect my kerberos server would have to be trusted by DCs.
-
Avery Payne almost 15 years2nd answer prior to this one, yes, that is the goal. The DMZ server would point to the AD controller(s) as KDCs, that much I know.
-
Avery Payne almost 15 yearsRe: DCs trusting your Krb5 server, I know that you can get just basic authentication yes/no responses provided that the users are passing sufficient information. If you attempt anything beyond this, then it will probably want a domain membership for that machine. The reason I know this is that I've set up machines for SSO only that do not have winbind running, nor do they have domain memberships.
-
Sergei almost 15 yearsThank you Avery.I am still searching for more or less solid documentation on how to implement kerberos proxy.
