User Authentication Modules Leland Wallace Sr. Engineer AppleShare Leland Wallace Sr. Engineer AppleShare.

Slides:

Advertisements

Similar presentations

Using the Self Service BMC Helpdesk

Advertisements

Overview Network security involves protecting a host (or a group of hosts) connected to a network Many of the same problems as with stand-alone computer.

Windows 2000 Security --Kerberos COSC513 Project Sihua Xu June 13, 2014.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

Secure Sockets Layer eXtended (SSLX) Next Generation Internet Security Overview Presentation April 2011.

Members Only & Login Modules Members Only works with the Login module to provide password protection to Web pages and files. Login Groups may be created.

My First Building Block Presented By Tracy Engwirda 28 September, 2005.

Customer Service Module Course Contents Table of Contents Enter A Request Search A Request Create Invoice (Funeral home request) Search Invoice Manage.

Kerberos and PKI Cooperation Daniel Kouřil, Luděk Matyska, Michal Procházka Masaryk University AFS & Kerberos Best Practices Workshop 2006.

Kerberos Authenticating Over an Insecure Network.

Blackboard Building Blocks Authentication Overview Tuesday, June 30, 2015 Tom Joyce, Product Manager, Platform Architecture & Database.

Sinewave Computer Services Pvt. Ltd. Page 1 7/2/2015 Taxbase New Features Index.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

UNIT - III. Installing Samba Windows uses Sever Message Block(SMB) to communicate with each other using sharing services like file and printer. Samba.

Automating Student Course Profile & Student Record Report Uploads to GaDOE Chris A. McManigal Camden County Schools Kingsland, GA.

A walkthrough of the SageQuest Mobile Control Online & ESC integration.

ATS SSL Updates ATS Summit Spring 2015 Susan Hinrichs.

Chapter 6 Configuring, Monitoring & Troubleshooting IPsec

Overview What are the provisioning methods used in the Australian registry system? How are these provisioning systems secured?

Form Handling, Validation and Functions. Form Handling Forms are a graphical user interfaces (GUIs) that enables the interaction between users and servers.

MS systems use one of the following: LanManager Hash (LM) LanManager Hash (LM) NT LanManager (NTLM) NT LanManager (NTLM) Cached passwords Cached passwords.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Understanding Integrated Authentication in IIS Chris Adams IIS Supportability Lead Microsoft Corp.

Branded Websites. Branded Website Training Click the “Edit Pencil” to edit the website Enter in your iBoomerang username and password.

Lecture 3 – Data Storage with XML+AJAX and MySQL+socket.io

Lecture – Single Login NIS and Winbind. NIS Network Information Service (NIS) is the traditional directory service on UNIX platforms Still widely used.

Session 5: Working with MySQL iNET Academy Open Source Web Development.

SMART Agency Tipsheet Staff List This document focuses on setting up and maintaining program staff. Total Pages: 14 Staff Profile Staff Address Staff Assignment.

System Architecture.  Windows Phone 7  Mobile Phone Application  User – End Perspective  Google App Engine  Administration Console  Handles authentication,

Microsoft Azure Introduction ISYS 512. Microsoft Azure Microsoft Azure is a cloud.

OSIA Portal 2009 Mid-Term Presentation Nazim Öztahtaci Jiawei Chen Parvinder Gill Ye Tian Xin Guo Communication System Design 2009 Fall Mid-Term Workshop.

Hands-On Microsoft Windows Server 2008

Hands-On Microsoft Windows Server Security Enhancements in Windows Server 2008 Windows Server 2008 was created to emphasize security –Reduced attack.

Finish configuration cloudclinica root jdbc:postgresql:5432//localhost/cc_db JDBC Url: JDBC Driver: User name: Password: ******** org.postgresql.Driver.

Copyright 2000 eMation SECURITY - Controlling Data Access with

Extending Vista The PowerLinks WebServices SDK John Hallett Senior Product Manager WebCT, Inc

Network Management Tool Amy Auburger. 2 Product Overview Made by Ipswitch Affordable alternative to expensive & complicated Network Management Systems.

Authentication Key HMAC(MK, “auth”) Server Encryption Key HMAC(MK, “server_enc”) User Password Master Key (MK) Client Encryption Key HMAC(MK, “client_enc”)

Activating Clarity  Activating Clarity  Activation  Online Activation  Fax Activation  Review and Verify Activation and License Terms  Updating.

Ashley Hawley. Project Description Business Need User Profiles Development Technology Testing Plan Deliverables Demonstration Conclusion.

TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,

Centralized logins with NIS Eric Stolten Tim Meade Mark Sidnam.

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.

Kerberos Named after a mythological three-headed dog that guards the underworld of Hades, Kerberos is a network authentication protocol that was designed.

Module 8: Planning and Troubleshooting IPSec. Overview Understanding Default Policy Rules Planning an IPSec Deployment Troubleshooting IPSec Communications.

CIS 192B – Lesson 3 Network Information Services.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Integrating and Troubleshooting Citrix Access Gateway.

 Registry itself is easy and straightforward in implementation  The objects of registry are actually complicated to store and manage  Objects of Registry.

1 Network Information System (NIS). 2 Module – Network Information System (NIS) ♦ Overview This module focuses on configuring and managing Network Information.

Copyright © 2006, Infinite Campus, Inc. All rights reserved. User Security Administration.

Using Routing and Remote Access Chapter Five. Exam Objectives in this Chapter:  Plan a routing strategy Identify routing protocols to use in a specified.

Installing or Upgrading to Windows Overview Preparing for Installation Installing Windows 2000 Professional from a Compact Disc Installing Windows.

A user guide to accessing, reviewing and contributing to the Online Registry System.

Linux Operations and Administration

FTP COMMANDS OBJECTIVES. General overview. Introduction to FTP server. Types of FTP users. FTP commands examples. FTP commands in action (example of use).

Doc.: IEEE /292 Submission September 2000 Bob Beach and Jesse WalkerSlide 1 An Overview of the GSS-API and Kerberos Bob Beach, Symbol Technologies.

KERBEROS SYSTEM Kumar Madugula.

4.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 12: Implementing Security.

1 Crosstalk iON Release 3. 2 New Live Chat Features iON 3  Session Notes –Add and modify notes to a customer session –Review from Chat History or Live.

Knowledge Hub Walkthrough August

Application program interface (API)

Fundamental of Databases

MSB Integration Guide.

Welcome to Salem State University

CMS Central Version 1.0 Made by Eden Sun Jan 2010.

Creating Novell Portal Services Gadgets: An Architectural Overview

(Includes setup) FAQ ON DOCUMENTS (Includes setup)

Technical Integration Guide

(Includes setup) FAQ ON DOCUMENTS (Includes setup)

Presentation transcript:

User Authentication Modules Leland Wallace Sr. Engineer AppleShare Leland Wallace Sr. Engineer AppleShare

Introduction Overview What UAMs Do UAM Packaging How it Works Client API Server API Example NIS UAM Developer Opportunities Overview What UAMs Do UAM Packaging How it Works Client API Server API Example NIS UAM Developer Opportunities

Overview AppleShare Client has supported User Authentication Module plug-ins (UAMs) since System 7. Client UAM API updated and made transport independent. ASIP 6.0 adds plug-in UAM API to the Server. AppleShare Client has supported User Authentication Module plug-ins (UAMs) since System 7. Client UAM API updated and made transport independent. ASIP 6.0 adds plug-in UAM API to the Server.

What UAMs Do Allow ASIP to fit into an existing authentication infrastructure –Kerberos, NIS (yellow pages), Windows NT Domains, NDS Permit client to connect to different AFP servers using the server’s native authentication Allow ASIP to fit into an existing authentication infrastructure –Kerberos, NIS (yellow pages), Windows NT Domains, NDS Permit client to connect to different AFP servers using the server’s native authentication

UAM Packaging Server UAM –CFM library –Loaded by the ASIP Registry at startup –Called at deferred task time Client UAM –Code resource –Loaded on demand –Called at main event time Server UAM –CFM library –Loaded by the ASIP Registry at startup –Called at deferred task time Client UAM –Code resource –Loaded on demand –Called at main event time

How it Works Client gets the list of supported UAMs from the server. User chooses from the list of supported UAMs Example: AFP login AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works Client loads the selected UAM & calls UAMOpen() AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works Client calls UAMLogin(), UAM opens the session with the OpenSession() callback AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works Server passes the UAM request to the registry AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works The Registry calls the Server UAM with the message from the client AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works AppleShare Client AppleShare Server ASIP Registry Server UAM The Server UAM contacts an external Authentication server External Auth server Client UAM

How it Works Replies from the Server UAM are sent back to the client along the reverse path. The Client UAM can send other messages via the SendMessage callback AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works The Client UAM returns from the UAMLogin() call AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

How it Works The Client calls UAMClose() and unloads the UAM AppleShare Client AppleShare Server ASIP Registry Server UAM External Auth server Client UAM

Client UAM API Single entry point Three required commands: –UAMOpen, UAMLogin, UAMClose Optional commands: –UAMPWDlog, UAMVSDlog, UAMChgPassDlg, –UAMChgPass, UAMGetInfoSize, UAMGetInfo Callback functions: –GetClientInfo, OpenSession, SendMessage –CloseSession, SetMIC Single entry point Three required commands: –UAMOpen, UAMLogin, UAMClose Optional commands: –UAMPWDlog, UAMVSDlog, UAMChgPassDlg, –UAMChgPass, UAMGetInfoSize, UAMGetInfo Callback functions: –GetClientInfo, OpenSession, SendMessage –CloseSession, SetMIC

Server UAM API Single entry point One required command: –UAMAuthLogin Optional commands: –UAMAuthLoginContinue, UAMAuthChangeKey –UAMAuthChangeKeyContinue, UAMGetMICKey Server UAM API functionality –Get & Set user attributes –Change User ID –Create a new User –Put the UAM thread to sleep –Wakeup the UAM thread Single entry point One required command: –UAMAuthLogin Optional commands: –UAMAuthLoginContinue, UAMAuthChangeKey –UAMAuthChangeKeyContinue, UAMGetMICKey Server UAM API functionality –Get & Set user attributes –Change User ID –Create a new User –Put the UAM thread to sleep –Wakeup the UAM thread

Authenticates a user with an NIS server If the user is not in the server’s registry, the UAM will create the user and assign them the proper group memberships Requires that the server admin set up a proxy user for the UAM and set up groups Authenticates a user with an NIS server If the user is not in the server’s registry, the UAM will create the user and assign them the proper group memberships Requires that the server admin set up a proxy user for the UAM and set up groups NIS (Yellow Pages) Example

INIT(){ Get the NIS domain name from the prefs Call yp_bind Initalize prng } UAMOpen(UAMArgs* nArgs){ Initalize prng Figure out the AFP version using the ClientInfo callback Return the config flags that specify the default UI } UAMLogin(UAMArgs* nArgs){ Generate first message in DH exchange (Ma) Using the user name passed in, build the AFP command Use the open session callback to connect to the server INIT(){ Get the NIS domain name from the prefs Call yp_bind Initalize prng } UAMOpen(UAMArgs* nArgs){ Initalize prng Figure out the AFP version using the ClientInfo callback Return the config flags that specify the default UI } UAMLogin(UAMArgs* nArgs){ Generate first message in DH exchange (Ma) Using the user name passed in, build the AFP command Use the open session callback to connect to the server NIS UAM Server UAMClient UAM

OAMAuthenticate() { // state = kLoginState Get the User Name from the AuthInfo buffer Get Ma from the buffer Generate (Mb) the second message in the DH exchange from Rb Create the Key from Ma and Rb Save the username & the key in AuthStateOut Put Mb into the reply buffer Return kAuthContinue; } UAMLogin Get Mb out of the reply buffer Create the Key from Mb and Ra Take the password and encrypt it with the key Use the Send Message callback to send the encrypted password to the server OAMAuthenticate() { // state = kLoginState Get the User Name from the AuthInfo buffer Get Ma from the buffer Generate (Mb) the second message in the DH exchange from Rb Create the Key from Ma and Rb Save the username & the key in AuthStateOut Put Mb into the reply buffer Return kAuthContinue; } UAMLogin Get Mb out of the reply buffer Create the Key from Mb and Ra Take the password and encrypt it with the key Use the Send Message callback to send the encrypted password to the server Login,AFPVers,NISProxy,NISUser,UserName,Ma Server UAM Client UAM AuthContinue, Mb

OAMAuthenticate() { // state = kLoginContinueState Get the encrypted password from the AuthDataIn buffer Get the key from the authState Decrypt the encrypted passwrd with the key Get the username from the authState Call yp_match on the “passwd.byname” table to get the /etc/passwd style entry If the match succeeds Use the salt from the passwd entry and crypt() to verify the password from the user. If the user is authenticated, look the user up in the Registry If the user is not found Create the user using UAMCreateObject() Use yp_match again to get the group memberships Add the user to the proper groups Call UAMChangeUID() to change to the proper user Return noErr } OAMAuthenticate() { // state = kLoginContinueState Get the encrypted password from the AuthDataIn buffer Get the key from the authState Decrypt the encrypted passwrd with the key Get the username from the authState Call yp_match on the “passwd.byname” table to get the /etc/passwd style entry If the match succeeds Use the salt from the passwd entry and crypt() to verify the password from the user. If the user is authenticated, look the user up in the Registry If the user is not found Create the user using UAMCreateObject() Use yp_match again to get the group memberships Add the user to the proper groups Call UAMChangeUID() to change to the proper user Return noErr } Server UAM Client UAM LoginContinue,(Password)K noError

Server UAM Client UAM UAMLogin return the session reference number } UAMClose(){ clean up any data structures }

Developer Opportunities Kerberos-based UAM LDAP-based UAM License UAM Java UAM Smartcard-based UAM Looking for a Windows PDC UAM Kerberos-based UAM LDAP-based UAM License UAM Java UAM Smartcard-based UAM Looking for a Windows PDC UAM

Where to go from here Check the AppleShare IP website for documentation and SDK info me to get the latest UAM SDK Check the AppleShare IP website for documentation and SDK info me to get the latest UAM SDK