Subject: | |
From: | |
Reply To: | |
Date: | Wed, 2 Apr 1997 00:28:27 -0500 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
[Lots snipped]
The bottom line here is "authentication".
Let's suppose you are on a 3000 (nothing else for now). You may have:
* a user.account,group password (up to 3, 4 if using sessnames with a
third party package).
* IMAGE database passwords
* Allbase (Image/SQL) passwords (may be different from above)
* OpenDesk ID and password
* Samba ID/password
* Web server id/password
* file lockwords
That is a *lot* of redundancy/replication, and it isn't an inclusive
list by any means. And these are *ALL* on *ONE* system, let alone being
an enterprise solution.
DCE promises some distributed authentication (with programmatic access
by applications) but hasn't exactly taken off like a rocket.
We need a "common" authentication scheme, with duplicative mappings to
a single userid or "sessname,user.acct" but a common password(s) as a
first step. Typical /etc/passwd schemes such as Lars suggested are a
start, but prone to crack attacks if someone gets your /etc/passwd
file. Shadow passwords then come into play as well. Some scheme might
work internally to the 3000, but can it be exported?
Please be careful about any shortcuts you take here to simplify things.
I don't know of any current plaintext solutions (other than smart cards)
to gain complete security, but let's not compromise yet another scheme
of authentication. This is an increasingly important issue, given web
authentication and Samba authentication, among other applications.
Jeff Kell <[log in to unmask]>
|
|
|