[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Authentication & Login sessions

Mark C Smith (mcs@netscape.com) writes:

> David Nugent wrote:
> > ...
> > The primary problem is authentication. All processes are owned by a user,
> > as is the usual model in UNIX. Since authentication comes from the
> > directory, login sessions can therefore be tied to the specific object
> > against which the user was authenticated. The problem is, during that
> > session, the user will be accessing the directory (albiet hidden under the
> > libc API bonnet), and since we don't want to make the directory world
> > readable, the user requires *authenticated* access to the directory until
> > the login session terminates. However, I doubt whether reserving a tcp
> > connection for the life of each session is desirable, so a connectionless
> > protocol, or at least a pre-authenticated tcp network connection is
> > needed.
> If one TCP/IP connection per UNIX client machine is an acceptable
> alternative, you might consider implementing the proxy authentication
> feature that is described in this Internet Draft:
>    http://www.ietf.org/internet-drafts/draft-weltman-ldapv3-proxy-04.txt
> The idea would be to maintain one connection per machine but use the
> proxy authorization feature to impersonate different users.

Secure Shell (SSH) also has a host authentication feature that might prove to
be useful to you.  It also supports anti-spoofing, transparent end-to-end
encryption, and can be configured in such a way as to be transparent to the
Ed Carp, N7EKG  	erc@pobox.com		940/367-2744 cell phone