Lesson17.Secure Authentication


Lesson 17. Secure Authentication

Time

This lesson takes approximately 2 hours to complete.

Goal

Understand the concepts behind authentication

Use Mac OS X Server to provide SASL-based encryption

Understand the role Kerberos plays in Mac OS X and Mac OS X Server


Authentication is the process of proving your identity. This is a concept that is of great interest to anyone in charge of a server or a network providing services like Apple File Protocol (AFP) or email. Historically, this meant entering separate user IDs and passwords for every service you needed to use (and sometimes every server), even if you entered the same user ID and password each time. However, by integrating technologies such as single sign-on (SSO) via Kerberos, and supporting multifactor authentication via smart cards, thumbprint scanners, RSA keys, and so on, Apple has made the authentication process more secure and easier to use.

But, even with things like smart cards and the rest, we still secure our access to networks via the password, and it is the password that can be either a strong part of your security chain or the weakest link. By definition, a good password is difficult to remember.

In general, a good password should:

  • Consist of more than just a few characters. Although versions of Mac OS X and Mac OS X Server prior to Mac OS X 10.3 cared only about the first eight characters in a password, as of Mac OS X 10.3, passwords can now be longer than eight characters. Every additional character in a password increases the potential complexity of the password on a near exponential scale.

  • Consist of a mix of uppercase and lowercase letters, numbers, and special characters. Since passwords on Mac OS X and Mac OS X Server are case-sensitive, even just two or three changes in case increase the complexity by a fairly large number. Add in numbers, and special characters, and you can easily create a complex password.

  • Not be based on real words or your identity. Even an older G4-based Mac can search an extremely large database of words and names in multiple languages quite fast, and execute a dictionary attack on your password.

  • Be unique for each service, if you aren't able to use a proper SSO implementation, a la Mac OS X Server's kerberized SSO infrastructure.

Because remembering multiple passwords can be difficult, Mac OS X and Mac OS X Server help users manage their passwords with the Keychain, provided as a standard part of every Mac OS X and Mac OS X Server installation. Mac OS X also provides Password Assistant to help with the selection of high-quality passwords.

Although an essential part of any security implementation, even the best password can be broken or circumvented. Someone might look over your shoulder and see you type the keys, or it might be breakable via a number of attacks, including brute force. To help keep the password from becoming a single point of failure, Mac OS X and Mac OS X Server support multifactor authentication, best described as a combination of something you know (a password or PIN), something you have (such as a smart card), and what you are (biometrics). Multifactor doesn't mean you use all of these. The most common implementation is a smart card of some kind used with a password/passphrase/PIN. ATM/debit cards are the most common form of multifactor authentication.

This lesson ventures beyond passwords. When you are just dealing with your own controlled environment, setting up shared secrets such as passwords is easy. You set a password and tell the user what it is. For situations where a shared secret or predetermined password is not possible, Mac OS X and Mac OS X Server can use certificates, which require that all parties involved trust a third party, also known as a certificate authority (CA). Mac OS X Server makes it easy for you to generate your own certificates (also called "self-signed certificates"), so you can provide authentication for everything you use, from your email address to your Web server.

Once authentication is out of the way, the next step is usually authorization, or the granting of rights or privileges to a resource, based on the authenticated identity of the requestor. One of the best features of the current version of Mac OS X Server (10.4, or Tiger) is its support for access control lists (ACLs), which give you greater flexibility in both the rights you can assign (or deny) and the users and groups you apply those rights to.

Note

A discussion of ACLs is outside the scope of this lesson.





Apple Training Series. Mac OS X System Administration Reference, Volume 1
Apple Training Series: Mac OS X System Administration Reference, Volume 1
ISBN: 032136984X
EAN: 2147483647
Year: 2005
Pages: 258
Authors: Schoun Regan

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net