May 2011

Technical Computing

by Scott Nolin

1) Background

In Technical Computing we have been working for many months on a central authentication plan for SSEC. This project is designed to provide one very simple, but often hard to achieve goal - you have one login and password for any center machine or service.

Besides the obvious convenience of not having multiple accounts to manage there are security advantages. For example, when someone leaves the center, we have to track down every account they have and try to disable them. It is very easy to miss one (perhaps a machine is off). Once that happens, you have old accounts hanging around that are a potential security threat. To be clear, we're more concerned with a password being captured than any malicious intent by a former employee. Think of it as your "target" being larger the more accounts you have and the problem is clear.

With centralized authentication, you can simply disable an account in one place, or people can change only one password. As we become more involved in some high profile projects for NOAA and NASA that include providing outside users access this security concern becomes more critical.

2) Windows Active Directory as Central Authentication Database

Most high-profile or 'enterprise' applications include support for authenticating against a Windows Active Directory domain. A Windows AD domain is what we already use for all windows accounts and macintosh printing and file sharing.  So it is a natural choice to use the Windows AD as our central authenticaiton database.

3) Current Services and Operating System Status

When we rolled out groups.ssec.wisc.edu we included Windows AD integration. Forums.ssec.wisc.edu also has this method of authenticating users integrated. This will be required for all new central (overhead provided) services we provide. We have immediate plans for converting the CVS/SVN to this system for example.

On the operating system front, it has been a long road. Organizations that are tightly centralized often have only one primary operating system (Windows for example) to support, and in those cases central authentication is not particularly difficult. You buy the products that all work together and it's pretty straightforward. Here at SSEC we support a variety of operating systems so cross-platform is the norm.

I have been evaluating and testing products to bring together Windows, linux, and Macintosh computers for at least 5 years. I've set up 2 major test systems over this time, and up until recently we had not found a good solution, but things have changed. Specifically, the Samba Winbind project has opened new possibilities for both Linux and OS X. This project allows a Linux machine to join the Windows Active Directory and authenticate users securely directly with the Windows servers. For Linux, it is now a fairly well supported install for newer versions of Red Hat Linux. For OS X it's already included - they don't call out Winbind explicitly, but it is clearly what is behind the scenes.

This year we have converted the first Linux machines to authenticate logins with Windows Active Directory - the machine 'ash' was a high profile example of that for those of you that use linux remotely at the center. All new linux machines will use this method, and we have done some preliminary testing with OS X and it's built-in Windows AD support. The Macintosh printing mechanism that we recommend already uses this, and user authentication is our next goal.

4) What Central Authentication *isn't*

It is easy to confuse centralized authentication with "Single Sign On". Single Sign On (or SSO). SSO is the ability to log in one time and have various services, web pages, etc not prompt you for a password again. SSO is a broader scoped problem. This would be a nice tool to provide for pulling together multiple services or web pages, and for helping provide simple access for people outside of the SSEC system.

Our immediate focus is on Central Authentication for all machines and core services, and SSO is outside of the scope of that mission.

5) For more information

If you've got questions or concerns please send me any questions you have or stop by to discuss it some time.


Back to Front Page

building top