1	Windows / Linux Unified Authentication Mike Miller Unisys Scholar 2003 May 6^th, 2003
2	Outline Introduction Cross-platform, seamless integration of Linux and Windows user information Technical Requirements Available Software Overview Integration Solutions Summary
3	Introduction Need for seamless integration of Windows and Linux clients in accessing shared information Requirements: Username / Password Authentication File Access Authorization Security must always remain a focus
4	Technical Requirements User (Account) Information G_ECOS Information for Linux, AD for Windows Authentication Verifies User’s Identity Usually password based Authorization Permissions Often merged with Authentication
5	Available Software Overview
6	LDAP- Technical Description Lightweight Directory Access Protocol Subset of the X.500 DAP Provides Hierarchical user information Can store names, passwords, phone numbers, or any other user information Also used for contact information / HR purposes
7	Kerberos- Technical Description KDC Kerberos Domain Controller Issues Tickets Realms Kerberos Domain Principal Either a user, or a remote machine Anything trying to access a resource TGT Ticket Granting Ticket Pre-authentication Authorization Procedure: Request Tickets from KDC Use Tickets to access servers TGT’s are encrypted with a users password, then sent Can’t be decrypted
8	Integration Solution- LDAP LDAP Database stores all information Native support in Linux Windows includes LDAP functionality Active Directory is LDAP based Windows Requires GINA hook pGina + LDAPAuth plugin
9	Integration Solution- LDAP Benefits Easy solution No requirements for separate info and password databases Many companies already maintain LDAP databases Disadvantages Not as secure as Kerberos pGina is still under heavy development Not guaranteed to work with NT
10	Results- LDAP Server– RedHat 8.0 Clients– RedHat 8.0 & Windows 2000 Pro. LDAP in Linux Fully Supported (with password migration) pGina + LDAPAuth in Windows- Fully Supported Samba not tested
11	Integration Solution- Kerberos Kerberos for Authentication, some Authorization Linux fully supported Windows 2000/XP is Kerberos Based Not fully standards compliant Setup is extremely particular
12	Integration Solution- Kerberos Benefits Maximum Security Technically superior architecture Native Windows support Disadvantages Kerberos requires accurate (± 5s) clocks Separate database required (YP/NIS(+) or LDAP) for User Information Not all applications (Exchange) are Kerberized Will not work with NT
13	Results- Kerberos Server– RedHat 8.0 Clients– RedHat 8.0 & Windows 2000 Pro. Kerberos in Linux- Successful Windows was initially very challenging Currently working- required different principal Samba not tested
14	Summary There is a need for an integrated cross-platform single-login authentication system There are two main solutions, but neither is perfect Nevertheless, if recreation of user accounts in not a problem, Kerberos is an excellent option
15	Acknowledgements Thanks to… Dr. David Gardiner & Unisys Corporation Dr. Alexei Kotelnikov Dr. Doyle Knight Amit Freeman And all the students in the Linux course
16	References http://www.cryptnet.net/fdp/crypto/kerby-infra.html http://www.microsoft.com/windows2000/techinfo/planning/security/kerbsteps.asp http://www.samba.org/ http://www.openldap.org/ http://pgina.xpasystems.com/