Single Sign-on/Network Authentication DCE Task Force.

Current Architecture (Draft)


1.  Introduction 

This document provides an overview of the current environment at 
the University of Pennsylvania as it pertains to the management of 
computer accounts, the university username space and the 
authentication of users and services.

Before describing the current environment, we must define the 
terms "account", "username space", "principal", and "authentication".

Account

Every person who connects to a multi-user computer system (and 
some who work on a single user system) needs to have an account.  
An account consists of two parts: a username and a password.  The 
username, also called an account name, is an identifier--it tells the 
computer who a person is.  The password serves as an authenticator-
-it proves to the operating systems that a person is who they claim 
to be.

Username space

The university username space is the pool of usernames that have 
been assigned on all of its computer systems.

Principal

In this context, a principal is a person, computer or server process.

Authentication

Authentication is the process of verifying the claimed identity of a
principal (i.e., user, service.)

2.    Current Environment

Three current environment components are described in detail.  
They are: username space management by system administrators, 
username and password management by users, and authentication of 
principals.

2.1.  Account management by system administrators.

The management of accounts is controlled independently by 
individual host system administrators.  This is true for UNIX, 
mainframe, file server, (etc.) environments university-wide.

When establishing accounts, some system administrators use 
software designed to allow users choice in the selection of unique 
usernames on a given host, and/or employ an algorithm in the 
assignment of usernames to enforce local standardization rules.  The 
rest manage usernames manually, and sometimes make efforts to 
synchronize them with usernames assigned elsewhere.  However, 
most usernames have been assigned without the benefit of a 
common standard, or method to ensure uniqueness across systems.

The lack of a control mechanism for the management of username 
space across host systems has resulted in significant instances of: (a) 
an individual being assigned more than one username and (b.) a 
single username being assigned to more than one individual.

Some systems require that passwords (authenticators) for accounts 
be changed on a periodic basis.  Others never require the password 
to be changed. 

Adherence to good practices for the retirement and re-cycling of 
accounts is at the discretion of individual systems administrators or 
machine owner.

2.2  Username and password management by users.

Many computer users require access to multiple host systems.  They 
can end up with a long list of usernames and passwords which need 
to be managed.  It has proven difficult for users to effectively keep 
track of multiple usernames and passwords.  This results in bad 
security practices such as openly posting usernames and passwords 
on monitors,  selection of short, easy to guess passwords, and/or 
infrequent password changes.

3.3  Authentication of principals.

Authentication involves verifying the claimed identity of a principal 
(i.e., person, computer, or server process).  Most multi-user hosts 
authenticate users at time of signon.  Authentication of computers, 
and server processes is almost non-existent.

3.3.1 Network Authentication.

The PennNet Authentication System (PAS) operated by DCCS controls 
access to PENNnet via the modem pool.  PAS uses data supplied by 
the PENNcard system to ensure that only those recognized as current 
members of the PENN community (i.e., Faculty, Staff, Students) may 
gain access.  

A PENNcard holder can have their Network ID initially activated and 
password periodically changed by visiting one of the PennNet 
terminal stations on campus.  At the PennNet station, the PENNcard 
holder swipes their card through a reader, which then prompts them 
to type their original or changed network password.

It is possible for non-PENNcard holders (e.g., HUP, and Wistar Staff) 
to gain access to the network via PAS, but they must first visit DCCS 
and show some proof of affiliation with the University.  This privlige 
must be renewed annually, as there is no way to track affiliation 
status as it changes over time.

3.3.2 Host Authentication.

¥	Mainframe host authentication.

IBM mainframes use products such as RACF or ACF2 to provide the 
host level authentication service.  For example, UMIS controls access 
to the administrative mainframe with ACF2.  Users are authenticated 
via an account and password at point of entry.   Once logged on, 
authorization to applications and files is controlled by a combination 
of products including ACF2, Adabas Security, Natural Security and 
some home grown software.  UMIS has a security administrator 
dedicated to managing authentication and authorization for the 
administrative mainframe using these tools.

¥	Multi-user UNIX host authentication.

The login command is used to link username with password

Authentication performed by the operating system???

¥	Other multi-user system authentication.  (expand)

Most file servers support two-way encrypted passwords.

¥	Single-user hosts.
	(i.e., PC's , MACS)

Physical position rules!  Folderbolt, FileGuard, IronClad, At Ease do 
some authentication and access control based on username and 
password.