Single Sign-on/Network Authentication Working Group

Minutes of meeting held August 9, 1994.  Send additions and/or corrections
to johnsonj@pobox.

ATTENDING.

Ellen Rosenblatt, Andrew White, Shumon Hugue, Noam Artz, Norm Morrison,
Emily Batista, Ira Winston, Dawn Clarke, Dave Millar, Andy Rieger,
Martin Pring, Dave Millar, Mark Litwack and Jim Johnson.

MEETING SUMMARY.

1.  USER NAME SPACE

The meeting focused on what could be accomplished in the short term, to
prevent the user name space problem from becoming any worse than it is
today, and to facilitate the future move to a kerberos-like authentication
mechanism.

Emphasis was placed on what improvements could be made quickly to the PAS
database to enforce a unique 8 character user name (a.k.a., PAS ID or
Network ID).  See minutes from 7/26 meeting for more info on 8 character
user name.

DCCS will create PAS Database API's and make them available to sysadmins.
These API's will provide sysadmins with the information they need to
synchronize with the PAS database as they setup user names on their local
systems.  DCCS will also modify the PAS application programs to reduce PAS
ID length from 16 to 8.

It was recognized that we have a significant number of assigned user names
that will not conform to the new format.  Some level of user name
conversion will be required, for those wanting to participate in
kerberos-like authentication.

At the local level, converting to the 8 character scheme will be
voluntary,  we hope to entice the participation of various groups by
demonstrating the benefits that can be provided from moving to
kerberos-like authentication.

Moving to a unique 8 character user name space has some interesting
challenges to consider, such as:

        a.  User names longer than 8 have been assigned.

        b.  On different machines, the same user name can be assigned to
different people.  As currently understood, assignment of user name in PAS
is on a first come first served basis.  If someone else has registered
your desired user name in PAS, you must change yours to another.

        c.   On different machines, the same person can have different
user names.  These will need to be identified, and consolidated to a
single user name.

        d.  How does someone change their User Name? How is the change
propagated?

        e.  People without PENNcards are established in the PAS database.
They require manual intervention.

        f.  When a record is terminated in PAS, this fact needs to be
broadcast to all participating systems where the person has an account, so
the sysadmin can take action.

It was decided to begin an effort to identify and build statistics on
duplicate user names, and user names that do not conform to the proposed 8
character user name.  Once the magnitude is known, we can develop a plan
to deal with the questions above.

2.  KERBEROS

Andy Rieger presented an overview of Kerberos Authentication, and how it
was implemented in DECathena.

ACTION ITEMS

1.  Mark stated that DCCS will develop several API's that will permit
system administrators to access the PAS database.  The API's identified were:

        a. Queries by PAS ID and PENNcard ID that will ask: has a proposed
PAS ID already been assigned? Does the person already have a PAS ID
assigned to them?)

        b.  Add a PAS ID. Used where user names are established before PAS
ID's have been assigned. PENNcard ID, PAS ID and PAS password need to be
supplied.  (Opon inital setup, a person's password in PAS will be the same
as on the local system.  However, the passwords can be changed to vary
independently. Moving to full Kerberos-like  authentication will correct
this problem)

        c.  Reserve a PAS ID. Used where a PENNcard ID and PAS ID can be
supplied, but a PAS password is not available.)

2.  Norm Morrison volunteered to create a program that will take as input,
PENNcard ID, user name, and Full Name, to generate a list of existing user
name conflicts.  He will coordinate the data gathering effort via one
contact person at each school wishing to participate.

3.  The PAS application needs to be modified to reduce PAS ID length from
16 to 8.

NEXT MEETING

Tuesday, August 16, from 1-2pm, in UDC conference room, located at 3401
Walnut Street, Suite 335b.