[Systems] Account management.
Daniel Clark
dclark at pobox.com
Wed Oct 14 09:42:14 EDT 2009
Sascha Silbe wrote:
> On Tue, Oct 13, 2009 at 04:19:10PM -0500, David Farning wrote:
>
>> Are there particular sign on mechanisms that I should look into?
> Please use something that does _not_ require the user to type in a
> password every time a service is used. I currently have to do that for
> Trac and it's _really_ annoying.
> For ssh, public key authentication works great (and can optionally ask a
> password locally if you want), so the SSO stuff only needs to
> use/support it. This is the Gold Standard of authentication (at least IMO).
Possible ways to manage this better:
1. http://web.monkeysphere.info/ (use GnuPG web of trust)
2. http://bcfg2.org/wiki/Plugins/SSHbase
3. http://www.sxw.org.uk/computing/patches/openssh.html
For heterogeneous infrastructure managed my multiple groups of people #1
looks like the best bet at first glance. For paranoia++ it would
probably also be pretty easy to integrate with
http://www.cipherdyne.org/fwknop/
> For HTTP, client certificates are a PITA, but I don't know of anything
> else that solves the no-password problem. "Automatic" login (i.e.
> recognizing the certificate without redirecting the user to a special
> "log in" page that just sets some cookies) and identifying the user by
> public key of the certificate (instead of relying on a CA to provide
> unique values in some certificate fields) are very important for real
> user-friendlyness, but unfortunately unsupported by the majority of web
> services (provided they support certificate login at all - most don't).
>
> Sorry for presenting requirements and problems instead of real solutions.
FSF is currently looking at CAS - http://www.jasig.org/cas
The other reason that you don't want to use passwords is to not make
everyone who runs a web service for an organization have easy access to
user's cleartext passwords if they so choose (eg if you choose something
centralized that uses password access, then anyone who points to that
service can phish or trojan pretty easily - this is also a generic
problem for all OpenID providers who use password auth without something
like https://pip.verisignlabs.com/seatbelt.do ).
> PS: If you do support authentication using passwords, please check for
> quality passwords instead of periodically expiring them. The latter just
> leads to the users choosing weak passwords because they can't remember
> strong ones often/easily enough.
Support for this statement:
http://www.usenix.org/publications/login/2006-12/pdfs/howard.pdf
--
Daniel JB Clark | Sys Admin, Free Software Foundation
pobox.com/~dclark | http://www.fsf.org/about/staff#danny
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 260 bytes
Desc: OpenPGP digital signature
Url : http://lists.sugarlabs.org/private/systems/attachments/20091014/a65cd6a1/attachment.pgp
More information about the Systems
mailing list