posted by Van Emery on Mon 26th Apr 2004 06:24 UTC
IconThe open source community has mastered many challenges and has been successful in numerous areas. However, there is one glaring weakness that needs to be remedied.


Without progress in this area, open source in the enterprise will always play second fiddle to Microsoft, Novell, and other corporate computing entities. What is this critical weakness? Lack of support for Internet Explorer and MS Office? Hardware compatibility issues? Retraining users?


The critical weakness relates to a very basic function of any network operating system. That weakness is the lack of a standardized, secure, interoperable network authentication system. This is a very real stumbling block to the adoption of open source in the enterprise.

"But wait!", you say. "A stock *BSD or GNU/Linux system has hundreds of security tools! Compared to Windows XP, my open source workstation is more secure, has more security tools, and is infinitely more flexible! What about S/KEY Kerberos, OpenLDAP, IPSec, OpenSSL, OpenSSH, RADIUS, PAM, GnuPG, and Samba 3?"

Big deal.

By default, your system uses flat files. It does not use secure, network-based authentication. "But that can be installed and configured!", you say. Sure it can, but it always ends up being a customized, site-specific solution that requires lots of time and effort to test, document, setup, and maintain. Making multiple Linux distributions and Unices work together is a time-consuming nightmare. Do organizations typically do lots of in-house development work to make sure that web browsers and web servers on their intranets can talk to each other? Do they develop custom routing protocols for their internal networks?

No. So why do we put up with this for network authentication?

IT managers want to be able to install servers and desktop client machines on their network that securely authenticate users against a centralized database. This should be a straightforward procedure. Until there is a standardized, interoperable, community and industry supported network authentication system included with most open source operating systems, Microsoft will continue to rule the enterprise.

The Problem Described

There are two issues that need to be solved in a network authentication system for Unix-like operating systems:

  • global naming
  • authentication

Global naming has to do with storing globally unique UIDs, GIDs, usernames, groupnames, and other network-wide information such as a user's login directory and preferred shell. This can be handled by protocols like Hesiod, LDAP, and NIS/NIS+. This data is sometimes called directory information.

Authentication is the process of actually allowing (or not allowing) a user to login to a host or access a resource. Authentication can be handled by many protocols, including TACACS+, RADIUS, and Kerberos. In addition, authentication systems should be able to log authentication transactions.

For the remainder of this article, "network authentication system" will refer to both naming and authentication, since both are necessary to login to Unix-like systems and to access resources.

Microsoft, Novell, Sun, and Apple already support unified network authentication, and have been doing this for a long time. As long as you exclusively use the vendor's proprietary system, all of your hosts will play together nicely. Microsoft, Sun, and Apple can utilize Kerberos and LDAP in their current systems. Novell is working on a Kerberos interface to their successful eDirectory system, and they can already authenticate Linux hosts to eDirectory via LDAP.

What we need is a system that is standardized to the point that any GNU/Linux or *BSD based system can be easily configured to use a standard network authentication scheme. I should be able to configure any common open source operating system to use centralized naming and authentication services after editing no more than two config files. It should just work.

In the Linux world, there is the Filesystem Hierarchy Standard (FHS) and the Linux Standard Base (LSB). These standards help all distributions work together nicely, and make life easier for application developers. Shouldn't we have a standardized network authentication system? Having such a system would give IT managers more choices, prevent vendor lock-in, and make life easier for administrators and users.

For example, let us look at OpenSSH. OpenSSH runs on almost any Unix-like host, binary packages are available for most operating systems, and it allows terminal communication and file transfer between any two hosts. OpenSSH is ubiquitous. It is used as secure transport for an amazing number of protocols and applications. Wouldn't it be nice if you could depend on your network authentication system to have the same amount of interoperability and flexibility between different Linux distributions and Unix flavors?

Table of contents
  1. "FOSS Authentication System, Page 1/3"
  2. "FOSS Authentication System, Page 2/3"
  3. "FOSS Authentication System, Page 3/3"
e p (0)    75 Comment(s)

Technology White Papers

See More