This document describes an open source Distribued Authentication System (DAS) built with readily available programs, packages, and tools. Although many organizations strive for centralized authentication systems, they frequently turn to proprietary solutions (and the accompanying vendor lock-in), or they seek to emulate old Microsoft Windows authentication schemes. Many times the goal is an integration or interoperbility between Microsoft clients and GNU/Linux servers, or between a mixture of Linux and Microsoft clients and a mixture of Unix/Linux/*BSD and Microsoft servers. My goal is different. I want to have a network authentication system for Unix/Linux clients using GNU/Linux authentication servers. I do not seek to emulate, copy, or interoperate with Microsoft or Novell to achieve this. There are already enough issues with unifying user info and authentication amongst a variety of Free/Open Source (FOSS) operating systems. The DAS is for FOSS hosts, running on FOSS servers.

The project started innocently enough: the lab director wanted to have the same username and password on every Linux or Unix shared resource in the lab. The system also needed to be secure. Initially, I believed that it would be a simple matter to unify logins for our Unix and Linux hosts. After all, the FOSS community is made up of network-centric standardization gurus. Surely there was a standard, secure way to solve this problem? Then began many weeks of research and testing, where I discovered that this was NOT a clear-cut project, and there were no easy answers. At this point, I will now state that the lack of a standardized, widely accepted distributed authentication scheme for Linux is a very real stumbling block to adoption in the enterprise. Unix user, group, and password management has historically been done with text files on each host, and that is still the case today. Sun's NIS and NIS+ are notable exceptions, but NIS has negligible security, and NIS+ is not widely supported outside of Solaris and is, in fact, being dropped by Sun. So what options are left?

Well, first of all, there are actually two problems to solve in a network-based authentication system for Unix and Linux users:

A related issue is that accounts usually have expiration dates, and passwords should also have expiration dates and other restrictions. A user should be able to change his or her own password. The solution needs to use standard, well-tested components, and not be built from scratch. It should be relatively easy to add a DAS user or DAS client to the system.

Possible Authentication schemes:

Password File Replication - Although password file replication can be used, it assumes that you trust the root user on all of your hosts. In our environment, I cannot trust the root user on every system. It would scale well enough in our environment, but would not scale very well in an environment consisting of hundreds, or thousands of DAS clients. This scheme was rejected.

NIS - This is a well-understood, mature protocol. NIS takes care of both user info and authentication. However, it has some well-known security vulnerabilities.

NIS+ - this was rejected due to the fact the DAS servers were going to run on Linux, not Solaris. Linux support of NIS+ is not complete on the server side, and Sun appears to be abandoning NIS+ in favor of LDAP + Kerberos 5. Also, NIS+ has a bad reputation for manageability.

RADIUS - This is primarily used to control subscriber access to ISPs. Although there are PAM modules for Linux and *BSD that allow RADIUS authentication, RADIUS does nothing to supply required user and group information on the host. The encryption scheme is also not particularly strong, and there is a shared secret between clients and server. This scheme was rejected.

TACACS+ - Proprietary extension to TACACS used primarily for controlling access to Cisco network hardware. It also provides no user information, and it is proprietary. Rejected.

Samba/SMB - Although there are PAM modules for authenticating to a Windows server or a SAMBA server, this does not handle user information, either. Also, the password security is not particularly strong. I rejected this method, because it is not centered on Unix/Linux. Samba authentication is geared towards supporting Microsoft Windows authentication.

Kerberos - Kerberos 5 is known for its security. In certain applications, Kerberos will also support Single Sign On (SSO). It is mature, scalable, and secure. Best of all, it comes from a Unix heritage and is still being actively improved. Sun and Microsoft have both used Kerberos as the foundation of their next-generation authentication systems. Even Apple's latest workstations and servers use Kerberos and LDAP for authentication and SSO. Kerberos is supported by a number of services and devices, including the Apache web server and Cisco routers. There are also modules available for Perl. Unfortunately, Kerberos does NOT contain any of the user or group information that Unix/Linux hosts need in order to operate. Therefore, if Kerberos is used, you must manually add user and group information to each host, or use some type of network information/directory service in conjunction with it. For example, you could use LDAP, NIS, files, or NIS+.

LDAP - Lightweight Directory Access Protocol was designed to hold directory information about people and other objects, and be accessed by clients over a network. It has also been extended to allow authentication and encryption. Some organizations are using LDAP for all user information, including group membership and authentication data. It is possible to build a complete network authentication and information system from LDAP. OpenLDAP is the standard open source LDAP server, and commercial products such as iPlanet (now SunOne), NDS, and Active Directory all utilize LDAP.

Testing and Evaluation

I narrowed down my options to LDAP only, LDAP with Kerberos, and NIS with Kerberos. It appeared that these three schemes might yield a suitable solution. Before getting too involved, though, we should define the goals and functions of the Distributed Authentication System (DAS).