Lesson 17. Secure Authentication
Authentication is the process of proving your identity. This is a concept that is of great interest to anyone in charge of a server or a network providing services like Apple File Protocol (AFP) or email. Historically, this meant entering separate user IDs and passwords for every service you needed to use (and sometimes every server), even if you entered the same user ID and password each time. However, by integrating technologies such as single sign-on (SSO) via Kerberos, and supporting multifactor authentication via smart cards, thumbprint scanners, RSA keys, and so on, Apple has made the authentication process more secure and easier to use. But, even with things like smart cards and the rest, we still secure our access to networks via the password, and it is the password that can be either a strong part of your security chain or the weakest link. By definition, a good password is difficult to remember. In general, a good password should:
Because remembering multiple passwords can be difficult, Mac OS X and Mac OS X Server help users manage their passwords with the Keychain, provided as a standard part of every Mac OS X and Mac OS X Server installation. Mac OS X also provides Password Assistant to help with the selection of high-quality passwords. Although an essential part of any security implementation, even the best password can be broken or circumvented. Someone might look over your shoulder and see you type the keys, or it might be breakable via a number of attacks, including brute force. To help keep the password from becoming a single point of failure, Mac OS X and Mac OS X Server support multifactor authentication, best described as a combination of something you know (a password or PIN), something you have (such as a smart card), and what you are (biometrics). Multifactor doesn't mean you use all of these. The most common implementation is a smart card of some kind used with a password/passphrase/PIN. ATM/debit cards are the most common form of multifactor authentication. This lesson ventures beyond passwords. When you are just dealing with your own controlled environment, setting up shared secrets such as passwords is easy. You set a password and tell the user what it is. For situations where a shared secret or predetermined password is not possible, Mac OS X and Mac OS X Server can use certificates, which require that all parties involved trust a third party, also known as a certificate authority (CA). Mac OS X Server makes it easy for you to generate your own certificates (also called "self-signed certificates"), so you can provide authentication for everything you use, from your email address to your Web server. Once authentication is out of the way, the next step is usually authorization, or the granting of rights or privileges to a resource, based on the authenticated identity of the requestor. One of the best features of the current version of Mac OS X Server (10.4, or Tiger) is its support for access control lists (ACLs), which give you greater flexibility in both the rights you can assign (or deny) and the users and groups you apply those rights to. Note A discussion of ACLs is outside the scope of this lesson. |