Single Sign-On for Integrated Open-Source Apps?

maiden_taiwan asks: "We're constructing a free groupware application by integrating well-known open source components: apache webserver, inn news server, ircd chat, scp for file transfer, etc. Unfortunately, each app has its own incompatible concept of a 'user identity.' Apache has the htpasswd module, IRC has nicknames, scp has public keys, NetNews has the poster's email address, and so forth. Has anyone managed to integrate a similar suite of apps using a single sign-on model, where a user has a single identity that is understood and carried through all these apps?"

We're sorta doing this, but not exactly...

[PhaseBurn]

We have a MySQL database that is used for e-mail, RADIUS, and FTP logins, and all those records are kept in MySQL... I'm not familiar with LDAP enough to suggest it, but it is there if you'd like to try... From what I've seen, and what we're doing, here's what I know is possible...

Apache has a mod_auth_mysql which will auth based on a MySQL database already... (http://sourceforge.net/projects/modauthmysql/)

That's trivial... They have a pam_mysql module as well that we use - it works... (http://sourceforge.net/projects/pam-mysql)...

Next on your list is inn, which I have no experience with. You'd most likely need to hack some form of parsing by e-mail address or IP (or password on a secured server) to verify/force identity...

ircd would be very easy to do... Shell account running a slightly modded "dircproxy" (http://www.dircproxy.net) would force identity based on a password, and would "proxy" the connection to the server transparantly.

Scp, if you're not using keys, could just use regular pam, with pam_mysql. Anyway, hope this helps.

LDAP may be a better solution, but I know for a fact this is possible (we're using these tools across apache, proftpd, scp, Courier-pop3/imap, and Exim for an MTA... we run a full ISP off these tools. Best of luck!

Another for the LDAP camp...

[stefanlasiewski]

My former organization (an NGO) attempted an single signon project for inn, rsync, & Apache 2 years ago. This was to be: a newsserver server, a webfrontend of the newsserver, web publishing, authoring tools, etc. We decide that LDAP was probably the best solution for a single signon.

Unfortunately back then, the software wasn't up to snuff, we had limited development experience to improve the existing tools, and we went bankrupt, and handed the project off to some other NGOs.

I've been recently laid off (Different company), and have been researching this project again. I'm amazed at the amount of progress that has been made since 2 years ago. It seems like LDAP is a good solution for single signon projects.

Apache 2.0 has added native support for LDAP, ldap; and there are several low-profile INN+LDAP projects out there (No large formal projects). I hear it's a good solution for remote-transfer users, like your 'scp' project.

Definately check out LDAP.

Today, LDAP. Tomorrow, Liberty or Passport

[velkro]

Today's solution is to use LDAP.

I have, right now, the following systems integrated using LDAP for authentication:

Linux (anything that uses PAM - ssh, ftp, X)
AIX 5.1
Apache (mod_ldap)
IBM HTTP Server (mod_ibm_ldap)
Several internal apps (PHP, Perl, C/C++)
MS Active Directory & Exchange
Lotus SameTime, and Lotus QuickPlace
Nortel Contivity VPN systems

And probably one or two things I've forgotten. So it's probably simple enough to add in the bits (IRC mainly) for the rest.

Secstore / Factotum - plan9

[DrSkwid]

The Fourth Edition of Plan 9 includes a substantially reworked security architecture, described in the USENIX Security 2002 conference paper by Russ Cox, Eric Grosse, Rob Pike, Dave Presotto, and Sean Quinlan.

One particular aspect that other operating systems may wish to adopt is our single-signon solution. A process called factotum is used to hold credentials like passwords and public/private keypairs and perform cryptographic operations. Factotum allows clients to speak a variety of cryptographic protocols and therefore legacy application servers can participate in our single-signon system without change and without even knowing it exists.

The factotum has no direct permanent storage, but rather fetches credentials at startup from a secstore server on the network. To authenticate safely with the secstore, Password Authenticated Key-exchange is used; this implies that the user just has to remember and type one password and passive eavsdroppers or even active malicious intermediaries can not launch even a dictionary attack against the system. The credentials are encrypted for storage on secstore, so even an administrator there would have difficulty reading them.

To see the code for all this, download the Plan 9 distribution and look in /sys/src/cmd/auth, particularly subdirectories factotum and secstore. The libraries /sys/src/libmp and /sys/src/libsec may also interest you.

Queries to ehg@lucent.com.
Copyright © 2002 Lucent Technologies. All rights reserved.