Here is the original proposal made to the lab supervisor:




Distributed Authentication System (DAS) for the Lab





Goal:

Centralize user account and password data in the lab. This should make access to computing resources simpler and more secure compared to the current system of local authentication files, multiple usernames, and multiple passwords.


Requirements:


Additional Features (not required, but desirable)


Centralized Authentication Protocols and their Feasibility in a Heterogeneous, Open Source Environment

NIS			Well supported, but no encryption.  Not acceptable.
NIS+ Servers only run on Solaris. Sun is moving to LDAP as preferred DAS.
Novell NDS Good system, but proprietary and costs money for server and client software.
SAMBA Sends password hashes in the clear. Not suitable.
LDAP Can be configured to use SSL/TLS. Can hold user data as well as password information. Well supported.
Kerberos 5 Strong crypto, good support, standardized. However, it does not contain any account information.
RADIUS Optimized for ISP NAS applications. Weak crypto, but well supported.
TACACS+ Similar to RADIUS, but more flexible. However, it is proprietary and costs money.


Opinion:

LDAP seems to be the strongest candidate. It can store all sorts of information, including password hashes. It can be queried by numerous applications. LDAP connections from DAS clients can be encrypted with SSL/TLS. It works with web applications. Current GNU/Linux distributions already include LDAP support.

Kerberos also seems very strong, but it lacks account information and directory functions. It is usually used in conjunction with user info systems like LDAP or Hesiod. It requires that the Kerb5 client system has access to account information for the user, either by a local account or another service like LDAP. Although it is more mature as a pure authentication system than LDAP, it has limited functionality by itself. Also, many of the traditional Unix networking applications (rlogin, rsh, etc.) that are replaced by "Kerberized" versions in a Kerberos system have now been superseded by SSH2.

I was able to setup basic authentication systems with both protocols. In order to keep things simple, I would recommend trying to roll out a Distributed Authentication System using LDAP only. If there are security/management issues with the LDAP-only approach, then a hybrid LDAP-Kerberos system may be pursued.


Proposal:

After investigating user requirements from Lab personnel, I would like to build a complete, fully functional DAS for use in the Lab. Key features would include:

Once it becomes a production system, I would be more than happy to give a presentation on it.


Political Elements:

One of the critical shortcomings of open source operating systems in the Enterpise today is the lack of a solid, easy to administer centralized authentication system. Novell and MS Windows administrators do not have this problem. I would like to put together a completely open source Distributed Authentication System, and document it so that it will be easy for other organizations to implement. This may then be of interest to our Open Source Software group.


Hardware Requirements

Initially, I only need two x86 machines to set up the redundant LDAP server. They need not be new or identical. I should be able to meet this requirement with what is already in the lab. At the time when the DAS becomes operational, it may be better to obtain two small, relatively inexpensive, rack-mount (1U) units so that they do not take up much space, generate much heat, or generate much noise.





Van Emery - August 6th, 2003