Motivation

Methods

• KDC/LDAP Binding: Clients may bind directly to the Kerberos server to authenticate a principal. The ticket obtained may then be used to bind to the LDAP server to gain information about that principal.

  Recommendation: Since Kerberos and LDAP are key pieces of infrastructure, they will not be disabled. However, the binding of third-party clients directly to these services is discouraged.

• Pluggable Authentication Modules (PAMs): PAMs are used by operating systems such as Solaris, Linux, and MacOS X (v10.2 and later) to authenticate users. In addition, services that run on top of the operating system, such as IMAP and SSH, can use the PAM infrastructure to perform their own authentication.

  Recommendation: PAMs are the recommended way for Unix based services to access authentication (and to a lesser extent, authorization) information. However, web based services that run on top of Unix servers (such as CourseWorks) should not use PAMs directly, but instead should use WIND (see below) in order to provide a "common look and feel" to all web based login mechanisms.

• WIND: WIND allows web based applications to use a central proxy authentication server to handle authentication and to obtain authorization information. This central location provides a consistent "look and feel" to all web based applications and allows for centralized control over authentication and authorization.

  Recommendation: WIND is the recommended method for performing web based logins.

• mod_wind: Based on Yale's mod_cas, and currently under development, this would be an apache module to use WIND to restrict access via a .htaccess file. This module should be implementable for both Apache 1 and Apache 2.

  Recommendation: Upon completion, mod_wind will become the recommended method for implementing .htaccess authorization.

• wdamb: Proxy authentication server. Uses private certificates to communicate with wdamb clients. The only known clients are the AcIS Apache modules (see below). wdamb incorrectly truncates passwords at 8 characters, preventing the support of long passwords.

  Recommendation: The private certificates are not standard CA issue, and require extra maintenance. The current certificate expires 25 April 2003. Additionally, this service runs on a Sparc 20 running Solaris 2.5, neither of which will be actively supported by the systems group or Sun for much longer. This service should be discontinued by the time the current certificate expires.

• mod_auth_wd: .htaccess and CGI auth using the wdamb server. Provides CGI scripts with environmental variables to access user authentication and authorization information. This module uses the wdamb server for auth. It is tied to Apache 1.x.

  Recommendation: The required functionality in this module should be added to mod_wind and use of this module should be discontinued.

• mod_krb: Older version of mod_auth_wd that provides the same or similar service without using wdamb. It is tied to Apache 1.x. This modules incorrectly truncates passwords at 8 characters, preventing the support of long passwords. This module is also dependent on the deprecated /usr/minilocal/etc/aname* files.

  Recommendation: The required functionality in this module should be added to mod_wind and use of this module should be discontinued.

• c2c: A certificate based wrapper to mod_auth_wd.

  Recommendation: This service is currently being phased out.

• Cheese: Original cookie based authentication wrapper.

  Recommendation: This service has been discontinued.

Roadmap