|
|
|
Once upon a time there was an old fashioned computer system. I said "an" old fashioned computer system, because there was only one. Everyone that wanted to do any work went up to the computer, typed in their name and password and the computer accepted it. Assuming, that is, that they got the right password. The people were happy with the old fashioned computer, because that was the only one that they had. The people were even happier with their terminal screens, because they were more powerful than an etch-a-sketch, and could play a game called VTTREK.
Along came the people who had green terminal screens. Green terminal screens were thought to be a Great Technological Invention, because you could stare at them for hours on end, and not end up with Little Black Dots in front of your eyes. You ended up with Little Green Dots instead.
Eventually, the people got tired of Little Green Dots, and wanted a New Computer. The New Computer ran the One True Operating System (known in those days as Unix), and was faster, more powerful, and smaller than the old fashioned computer system.
The New Computer stored everyone's name and password in a password file. The password file was encrypted, so that even Very Clever People couldn't understand the passwords stored in the password file. Everyone thought this was nice and safe, because even the biggest and fastest New Computer couldn't understand another New Computer's password file. The People that Looked After the New Computers were happy.
One New Computer wasn't enough, however. People wanted more New Computers. They got more and more New Computers all together in the one building and tied them together with pieces of string. This was called a network. Everyone thought that a network was Very Nice, because it meant that the people in Accounting and Finance could have their own New Computer, while the people in Advertising and Graphics had their own New Computer, but they could send each other files.
One day, a Very Clever Person wanted to use two New Computers at the same time. The People that Looked After the New Computers thought this was all very well and good, because after all Very Clever People have to be kept happy, and so they put the Very Clever Person's name and password in the password files of both New Computers. Soon, however, there were lots of Very Clever People, and they all wanted to use many New Computers at the same time. This made The People that Looked After the New Computers very unhappy, because they had lots of extra work to do.
So, one day, a Very Clever Person who happened to work with New Computers invented a Very Clever Piece of Software (after all, this is what Very Clever People are for). The Very Clever Piece of Software could store a big file, and share this file amongst all of the New Computers, so that all of the New Computers could look up information in this file. The Very Clever Person decided to call this software Yellow Pages because when you wanted to look something up, you often looked in a telephone book called the yellow pages. A Nasty Man from a Telephone Company decided, however, that the name Yellow Pages belonged to him, and so was born the Network Information Service, or NIS for short.
Unfortunately, the problem with sharing a big bunch of files between New Computers, is that the New Computers are very clever, and very fast. Someone invented a program for New Computers that would crack the passwords stored in the NIS. This was very bad.
At about this point, the Very Clever People decided that getting the New Computers to send each other passwords across pieces of string was a bad idea.
At about this time, a Boy from Redmond decided to start his very own software company. This is because Seattle didn't have any decent garage bands yet.
The Boy from Redmond decided that storing passwords in a password file was a bad idea. To solve the problem, he decided not to have any passwords at all. The people laughed.
The Boy from Redmond got angry at the people laughing at him, and decided to make them look at their files through Windows. The people laughed even harder.
Eventually, the Boy from Redmond decided that he'd do what the people with the New Computers were doing, and tie his computers together with pieces of string. The boy decided that pieces of string meant that everyone needed passwords, so he stored the passwords on the hard disk. Since the New Computers could crack the encrypted passwords, he decided not to encrypt the passwords very much at all. The people laughed again.
So, one day, the boy got really angry and invented Windows NT. Windows NT had an entirely new password system, called a Domain. The people thought that Domains were a really good idea. That's because none of the people knew how Domains really worked.
Meanwhile, other people thought that they needed security too, and decided that putting passwords into password files wasn't good enough. These are some of the ideas that they came up with:
RADIUS. Some of the people had telephones, and wanted to use the telephones to connect to the pieces of string (remember those?). They needed somewhere safe to put their names and passwords, and also tell them what piece of string they could talk to, and how they could talk to it. RADIUS (short for Remote Authentication Dial In User Service) was designed to solve some of those problems.
TACACS and TACACS+ were developed by a company called Cisco (after some work by BBN) to solve the same problems that RADIUS was designed to solve.
Some people thought that storing passwords anywhere, no matter how strongly they were encrypted, was a bad idea. They came up with the idea of One Time Authentication Schemes. These are pieces of software that ask you to encrypt a particular number they send you, using a particular type of key generator, and send it back to them. This becomes your password, which is then thrown away when you log out, so you have to get a new one next time. Some of these schemes include Cryptocard, SecureID, SafeAccess, S/Key, OPIE, and others.
Programs like Secure Shell don't need a password. You store an authentication token at each end of the link, and the connection between you and the server is made safe by the use of this token.
SSL (Secure Sockets Layer) is a method to authenticate and encrypt data passing between two computers, originally designed by Netscape. There is a free implementation of it.
The people using New Computers were very confused. They had to remember one password for the New Computer, one password for the RADIUS server, a different password for the Domain, and a different password for their Bank Account. The people couldn't remember all of these passwords, so they wrote them all down on little yellow pieces of paper and stuck them to their computer screens. The The People that Looked After the New Computers (and the Domain) were very unhappy.
At about this time, a Very Clever Person (who happened to work for the same company that invented NIS), invented something called Pluggable Authentication Modules, or PAM for short. PAM allowed The People that Looked After the New Computers to store the passwords somewhere other than in the password file, or in the NIS. For example, some Very Clever People that looked after New Computers decided that they could store the New Computer passwords in the Domain, with all of the other passwords.
Another Even More Clever Person (who had invented his own New Computer system in Finland) got some of his friends to make PAM work on his New Computer too. That meant that more passwords could be stored all over the place. The New Computers from Finland were spreading all over the world at this time, so lots of people could store their passwords wherever they wanted to.
Yes, that's correct.
If you put the passwords for the New Computers in the same place as the passwords for the Computers from Redmond and the same place as all of your other passwords, then you only need one password.
This is called Single Sign-On. A rather magical term.
To access one of the Windows NT computers, you need to go through a process called Graphical Identification and Authentication (GINA). The Boy from Redmond might tell you that GINA means you have to access a Domain. That's not entirely correct.
For example, there are some people in Utah (see below) who made a different GINA that let you access a Computer in a Big Red Box instead. A clever person at a University invented a different GINA, that allows you to access the NIS system you got from the people that made the Very Fast New Computers.
Someone decided it would be a good idea if PAM could run on the Computers from Redmond, too. This replaces the GINA with one that can pick and choose its own authentication method from any of the ones we've found so far.
A bunch of Really Clever People, who worked at a University, decided that they would invent a Network Security System that everyone could use. They called this system Kerberos. To make all of the people happy, they decided to make it very secure.
Kerberos has an unusual mechanism for storing and sending passwords. It uses a One Time Authentication Scheme of its own, to get a ticket for each program that wants to know your password. These tickets, however, aren't generated from the person's password. They are generated from a special, once-only, ticket-granting-ticket that the person who logs in to the computer gets the first time they talk to the New Computer. After the person has a ticket-granting-ticket, they can get tickets for other programs on the computer, or other computers, or even Domains, from the Kerberos Server.
Kerberos even worked on the New Computers from Finland, so everyone was happy.
The Boy from Redmond who invented Windows (remember him?) decided that Kerberos was a neat idea. So he decided that in the year 2000, all of his computers would use Kerberos as well. This made a lot of people interested, because there were a lot of Computers from Redmond, and they worked almost as well as the New Computers from Finland. The Boy from Redmond also made sure that his Kerberos worked the same way as everyone else's Kerberos.
Remember the person who made PAM work on the Computers from Redmond? Well, that means you can have your GINA and your Kerberos, too, even before the year 2000.
There were other computers other than the Computers from Redmond and the New Computers from Finland. Everyone had nearly forgotten about the Computers That Came In A Big Red Box. These were invented by people from Utah who had their very own pieces of string. The people in Utah thought they had a good idea – everyone could store all of their passwords in a big Directory. This directory could then be spread out amongst all of the Computers Tied Together With Pieces Of String, so that all of the people could get at the Directory all of the time.
The people that used the Computers That Came In A Big Red Box thought this was a great idea. The only problem was, however, that you could only store passwords that belonged to other Computers That Came In A Big Red Box. The people that used the Computers That Came In A Big Red Box decided to fix this problem.
More Clever People That Worked At A University came along and looked at this idea. They had thought of the idea of a Directory as well, and had a special protocol to access it, called (predictably) Directory Access Protocol. The Directory Access Protocol was too difficult to use, however, so the Computers That Came In A Big Red Box didn't use it. So, the Clever People That Worked At A University made the Directory Access Protocol a bit more light-weight, and equally predictably, called it Lightweight Directory Access Protocol, or LDAP for short.
Pretty soon, everyone thought that LDAP was a pretty good idea. People that used the New Computers, including the New Computers from Finland, were putting everything into a Directory using LDAP. You could store your password, your name, your phone number, your address, and even your shopping list in a Directory. The people that used the New Computers from Finland very soon had their Own LDAP Server.
Some people from a company called Godzilla or Mozilla or Netscape or something like that even had a Directory Service of their own, predictably called Netscape Directory Service.
Even the Boy from Redmond thought that Directories were a pretty need idea, and so started to build his Year 2000 Computers using Directories. Since the Boy from Redmond had decided to risk being sued by every fitness company in the world by using the trademark "Active", he called his new toy the Active Directory.
It might seem that having passwords being sent around the pieces of string by a Directory is almost as bad as having the passwords sent around the pieces of string by NIS. This is very much the case, however the people that invented Directories have come up with some very clever answers to the problem.
OpenLDAP stores passwords in the directory, and by default, anyone can access them. That's not particularly secure.
Some Clever People using the New Computers from Finland decided that you can Integrate the Free Directory Services and Free Security Software and come up with Free Secure Directory Services. That's rather more secure.
Of course, if you use Active Directory as your directory service, then you are in fact using Kerberos to do your authentication. Note that Kerberos doesn't actually store passwords, it stores tickets instead.
Netscape Directory Service has various advanced security features as described on the datasheet. Netscape provide all sorts of other information in the Frequently Asked Questions list.
Generally speaking, Directories support various levels of access control. That means you can specify who has access to what parts, or even fields, in the Directory.
Everybody will be using a Directory. Even the Boy from Redmond uses one now. Other authentication mechanisms will eventually be absorbed, or disappear. NIS will disappear.
Kerberos looked like it was going to die in the face of SSL. It will live on as an authentication mechanism, while SSL will be used as an encryption layer (as will ssh). Kerberos will be absorbed into a directory as an authentication mechanism for accessing the directory.
Apart from that ... who knows?