Back to My Mac: Peer to Peer Kerberos

There’s a new feature in Mac OS X 10.5 called Back to my Mac. It allows you to connect from one mac to another for screen sharing, shared folders or other features . The authentication behind this new feature is Peer to Peer Kerberos. Each Mac runs a local KDC. Each user on the Mac has a Kerberos principal. The Mac generates a realm name starting with LKDC: that contains the hash of a public key created for the machine. A KDC location plugin allows the Mac to find out how to contact the appropriate KDC for one of these peer-to-peer realms. Then, normal Kerberos authentication can take place. The MIT Kerberos team worked with Apple to design this feature. It provided several of UI and security challenges and was an interesting partnership.

This mechanism effectively allows the benefits of Kerberos such as caching of tickets to be used by everyone not just those in an enterprise. Like any other Kerberos authentication, the mechanism can be expanded to support other authentication schemes such as smart cards or authentication tokens in addition to passwords. It makes it easier for programmers because the same security mechanisms can be used both for enterprise security and for peer-to-peer security.

In terms of Kerberos deployment, this is a huge step forward. Apple join the set of companies that are using strong security in consumer-facing products.

The most interesting thing to take away from this is that infrastructure security systems like Kerberos can be easy to use. Users don’t know that they have set up a Kerberos realm or even that they are using Kerberos. I think this will be a good response to claims that good security is too hard to use or deploy. Instead we should focus on writing the necessary user interface to make the security easy to use so that it doesn’t get in the way.

I’ve glossed over an important technical issue. It turns out knowing what realm you need to use in order to contact a particular machine in a secure manner is hard. There are several solutions with different tradeoffs. I don’t know which one Apple ultimately ended up picking. If It is interesting to people I can discuss the design of systems like this and the tradeoffs. Right now, though, I’m focused on the security usability implications of the high level experience. I’d like to think Alexandra Ellwood for research that helped form a basis for this article.

6 Responses to “Back to My Mac: Peer to Peer Kerberos”

  1. Hamish Allan Says:

    Do you know if there is a detailed description of the technology behind Back to my Mac available anywhere? Most blogs that talk about it just say “it uses IPSec, wide-area Bonjour and NAT-PMP”, but don’t go any further.

  2. hartmans Says:

    I don’t know of any such description. I asked someone on my team to get me packet traces
    to confirm that things hadn’t changed since our previous discusisons with Apple.

  3. Andre LaBranche Says:

    It appears as though multicast dns is used as the realm discovery method. e.g.

    dns-sd -Q “_kerberos..local” txt

    (replace with the bonjour name of a machine on the local net)

    The result is some hex. Drop it into xxd -r -c 256 to get the LKDC realm name.

    The ability to discover the LKDC realm name of another machine is presumably *not* part of of any standard libraries, but rather implemented somewhere in the service clients for vnc, cifs, afpserver (the only services kerberized within an LKDC as of 10.5).

    Regarding wide-area bonjour, it appears that access to a user’s dotmac dns name space is authorized with a certificate. e.g. I can query for _kerberos…members.mac.com on my machine that is ‘bound’ to back to my mac, but others are not able to perform the same lookup. This is possibly related to the Kerberosv5Cert portion of the AuthenticationAuthority attribute of my (local) user record.

    This is all pretty interesting stuff, and I’m trying to compile as much data as I can about how this is all implemented. If anybody knows of any good resources or discussions, please email them to me at echo “qer@znp.pbz” | tr N-ZA-Mn-za-m A-Za-z

    Cheers!
    -Andre

  4. dre Says:

    Woops. I used angle brackets in my previous comment. The dns-sd line should read:

    dns-sd -Q “_kerberos.name.local” txt

    (replace ‘name’ with the bonjour name of a machine on the local net’)

  5. hartmans Says:

    I’m not surprised. That was the discovery mechanism Apple and MIT were discussing when we went through a design review. I’m surprised if your claim that a certificate authorization is involved in wide-area Bonjour; I don’t know how to do that with the DNS protocols.
    The Kerberosv5 part of our local authentication authority identifies a .mac certificate that is used for pkinit (RFC 4556); the local KDC accepts that certificate instead of a password.

  6. MacTroll Says:

    PKI isn’t used for the private wide area DNS registration. Instead there’s a shared secret stashed away in the System Keychain. This is used for both the DNS registration ( and DNS reading BTW) and for the IPSec shared secret.

Leave a Reply

You must be logged in to post a comment.