RE: Single Sign On

["Walter Williams" <wbjw () mindspring com>]

If your unix is solaris, it can use LDAPS for an authentication protocol,
allowing you to leverage AD as a single account store.  Unfortunately,
unless you rewrite the GINA, NT/w2k can't leverage a third party directory
service.  This would allow for not for single signon, which implies that you
authenticate once for all trusted systems, but for a reduction in redundant
account stores.  Single Signon is removing a layer of security as it implies
trusts between environmnets.  Reducing the number of account stores saves
money, reduces complexity, makes it easier on the user as they now only have
one password to remember if you require passwords.

Under the model I suggest, passwords become optional, as you can use the
win2k CA and rainbow tech or other smart cards to provide strong
authentication.  This smart card can also store the keys for ssh, if you are
using ssh to connect to unix from your win2k systems.  Smartcard support is
in solaris 9, so I imagine it's out there for other unixes.  Now you don't
have passwords and their insecurities to worry about.  Smartcards are a
managed solution, and not a panacea.  If they get lost, the users is locked
out until a new card is issued.

I've done this in a lab, and we are looking into doing it in our production
systems.

Kerberos has the problem of MS's implementation being a deviation from the
standard.

Walt

> -----Original Message-----
> From: Trevor Cushen [mailto:Trevor.Cushen () sysnet ie]
> Sent: Monday, March 10, 2003 12:19 PM
> To: security-basics () securityfocus com
> Subject: Single Sign On
>
>
>
> Has anyone successfully implemented a single sigh on solution in a Unix
> / Windows environment?
>
> If so could you send on product details or a URL to a guide please.
>
>
> NOT Web based, I know there are a few web based solutions but I need it
> in an enterprise with Windows NT and up, Linux servers and MS-SQL.
> Client has one logon only or single sign on.
>
> I am looking at kerberos so if I am going down the wrong track please
> let me know.
>
>
>
> Many thanks
> Trevor Cushen
>
> ******************************************************************
> ************
>
> This email and any files transmitted with it are confidential and
> intended
> solely for the use of the individual or entity to whom they are
> addressed.
>
> If you have received this message in error please notify SYSNET Ltd., at
> telephone no: +353-1-2983000 or postmaster () sysnet ie
>
> ******************************************************************
> ************