1. Password? CLASP Phase 2: Revised Proposal C5 Meeting, 16 February 2001 Denise Heagerty, IT/IS

2. Outline  Reminder of CLASP Project Goal  Recent progress relevant to CLASP project  Phase 2 Milestones (defined in Oct 2000)  Authentication Test Results  Implementation Issues  Recommendations based on test results and implementation issues  Revised CLASP Phase 2 Proposal Deliverables and Milestones

3.  Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use CLASP Project Goal “Single Sign On” Access Control +

4. Recent progress relevant to the CLASP project  Common authentication for mail services tested for roaming SMTP, web mail, listbox lists and listbox archives - based on LDAP  CA implemented at CERN for Grid testbed will issue certificates for CERN Grid testbed users  One Time Password authentication card tests tests starting in CS Group of VPN (Virtual Private Network) access with Cryptocard and RSA support  Loginid harmonisation continues AIS modified to accommodate loginid changes conflicting AIS loginids resolution resumed web form will be written to harmonise remaining loginids mechanism will be added to delete unused accounts

5. Phase 2 Milestones (Oct 2000) Oct 2000:  Test authentication environment available serving Kerberos v5, AFS, and Grid certificates in collaboration with the Grid testbed available to services preparing implementation plans Feb 2001:  Implementation plans available for a production authentication service most IT and AS services May 2001:  Final proposal available security review, off-site access, access control added presentations to C5, FOCUS and Desktop Forum

6. Authentication Test Results  Kerberos v5 authentication server running successfully converts between Grid certificates, Kerberos v5 tickets and AFS tokens base software from FNAL (MIT+fixes+AFS) linked with Globus certificate extensions  Successful AFS tests a Grid user authenticated with a certificate successfully accessed an AFS test cell at CERN  W2000 client successfully authenticated login authentication succeeded for standalone client concerns about functionality  Kerberised IMAP mail server compiled Kerberos client support in Pine and Outlook 10?

7. Implementation Issues  Commercial support is not available common authentication supporting Kerberos v5, Grid Certificates & AFS will require local expertise  Replacing AFS authentication by Kerberos v5 invalidates the AFS support contract preference not to change until AFS future decided  Use by W2000 needs significant testing will current and future applications continue to work?Conclusion:  concerns about support and functionality of tested common authentication solution

8. Recommendations  Keep existing authentication services not a good time for changes to Windows 2000 nor AFS  Continue to track authentication technology Kerberos, Certificates, smart cards,...  Revisit options when AFS future is clarified Windows 2000 can provide Linux authentication  Provide an alternative way to achieve CLASP project goal in the short term password synchronisation is a step in the right direction

9. Revised CLASP Phase 2 Proposal  Design and pilot a password synchronisation tool includes at least Windows, AFS, Mail, AIS passwords synchronisation will be optional - not forced security review and password check & change policy use experience at CERN (NICE) and within HEPiX (JLAB)  Recommend off-site access mechanisms including CERN and non-CERN portables  Design and pilot a tool for common access control of web pages and files (“e-groups”) based on CERN databases & existing listbox mechanism needs to map people to accounts

10. Revised CLASP Phase 2 Milestones & Deliverables Milestones: Mar 2001: Design teams formed and met Apr 2001: Design plans available May 2001: Prototypes available Jun 2001: pilot evaluation starts Sep 2001: CLASP project final review (after-C5)Deliverables: password synchronisation tool off-site access and security recommendations automatically generated access groups available for web page and file protection (NICE and AFS) proposed follow on actions after project closure

11. Password? http://cern.ch/proj-clasp CLASP studies have been made in collaboration with many colleagues both inside and outside IT Division - Thanks!