From cce03a7a139f4e860b1282f48675f15b1bb777ab Mon Sep 17 00:00:00 2001 From: Juan Carlos Luciani Date: Wed, 22 Nov 2006 05:21:33 +0000 Subject: [PATCH] Updated README and TODO files to reflect the current state of the project. --- CASA-auth-token/README | 15 +- CASA-auth-token/client/README | 39 +++-- CASA-auth-token/client/TODO | 7 +- CASA-auth-token/client/lib/README | 8 ++ CASA-auth-token/client/lib/TODO | 12 +- .../client/lib/mechanisms/krb5/README | 1 - .../client/lib/mechanisms/krb5/TODO | 5 +- .../client/lib/mechanisms/pwd/TODO | 6 +- .../com/novell/casa/jaas/CasaPrincipal.java | 2 + CASA-auth-token/server-java/README | 134 ++++++++++++++++-- CASA-auth-token/server-java/Svc/README | 14 +- CASA-auth-token/server-java/Svc/TODO | 5 +- CASA-auth-token/server-java/TODO | 6 +- .../server/AuthTokenValidate/Svc/README | 6 + CASA-auth-token/server/AuthTokenValidate/TODO | 2 +- CASA-auth-token/server/README | 113 +-------------- CASA-auth-token/server/TODO | 7 +- .../server/utilities/IpcLibs/README | 8 -- CASA-auth-token/server/utilities/IpcLibs/TODO | 2 +- 19 files changed, 222 insertions(+), 170 deletions(-) diff --git a/CASA-auth-token/README b/CASA-auth-token/README index 616da5a3..e3f360ad 100644 --- a/CASA-auth-token/README +++ b/CASA-auth-token/README @@ -82,18 +82,13 @@ The auth_token client/service protocol allows for the authentication of the clie auth_token relies in the server authentication mechanisms of SSL to verify the identity of the ATS. -IMPLEMENTATION STRATEGY AND CURRENT STATUS +CURRENT STATUS -auth_token is currently under development and is not ready to be used in production. -The implementation strategy has been to first complete the framework with all of its -modules, APIs, and packaging to allow application writters to start developing to it. -Once this is done, then the implementation focus will switch to completing the plumbing. +CASA-auth-token status is mostly code complete and has entered the testing phase. We will +be making changes during this phase based on the feedback received. -As of this time, a lot of the framework has been completed and there are sample -applications that can be utilized to exercise it. For a more complete picture of where -we are, look at the various TODO lists present in the child folders. - -The schedule for completing auth_token is agressive. +The items whose implemetation is still pending are listed in the TODO files for the various +components. SECURITY CONSIDERATIONS diff --git a/CASA-auth-token/client/README b/CASA-auth-token/client/README index 48d961e0..64bffc05 100644 --- a/CASA-auth-token/client/README +++ b/CASA-auth-token/client/README @@ -82,26 +82,15 @@ The auth_token client/service protocol allows for the authentication of the clie auth_token relies in the server authentication mechanisms of SSL to verify the identity of the ATS. -IMPLEMENTATION STRATEGY AND CURRENT STATUS - -auth_token is currently under development and is not ready to be used in production. -The implementation strategy has been to first complete the framework with all of its -modules, APIs, and packaging to allow application writters to start developing to it. -Once this is done, then the implementation focus will switch to completing the plumbing. - -As of this time, a lot of the framework has been completed and there are sample -applications that can be utilized to exercise it. For a more complete picture of where -we are, look at the various TODO lists present in the child folders. - -The schedule for completing auth_token is agressive. - REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS - - Install Visual Studio .NET 2003 - - Install Windows Platform SDK for Windows Server 2003 SP1 - - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with Visual Studio + - Install Visual Studio 2005. + - Install Windows Platform SDK for Windows Server 2003 SP1. + - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for + Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with + Visual Studio. - Install Cygwin - See instructions below. - - Extract Expat-2.0.0.zip in casa source directory parent + - Extract Expat-2.0.0.zip in casa source directory parent. - Install Casa Download and start cygwin install: @@ -179,9 +168,8 @@ bash --login -i REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX -Install latest mono and mono-devel RPM - Obtain RPMs from -www.go-mono.org. - +Install needed RPMs. Look at BuildRequires line in CASA_auth_token_server.spec.in file +in package/linux folder to see a list of RPM build dependencies. BUILDING THE SOFTWARE PACKAGE @@ -222,7 +210,7 @@ source distribution (configure, Makefile.in files, and other distributed autotools files are not removed) make maintainer-clean - removes files to return state back to same as -the CVS checkout (you will need to run ./autogen.sh again before running +the SVN checkout (you will need to run ./autogen.sh again before running make again) SECURITY CONSIDERATIONS @@ -231,6 +219,15 @@ CASA Authentication Tokens when compromised can be used to either impersonate a user or to obtain identity information about the user. Because of this it is important that the tokens be secured by applications making use of them. It is recommended that the tokens be transmitted using SSL. + +Currently, the Authentication Token Client defaults to allow the setup of SSL +connections with an ATS even if the Certificate presented by the ATS is considered +invalid. In this mode, it is possible for a malicious user to set up a server which +impersonates an ATS for the purpose of acquiring user credentials. This default +will be modified once we implement a mechanism to give the user the option of either +approving or rejecting a certificate. If this behavior is un-acceptable to you then +you can configure the client to not allow SSL connections to be setup with invalid +server certificates by modifying the settings present in the client.conf file. diff --git a/CASA-auth-token/client/TODO b/CASA-auth-token/client/TODO index ca5a4629..5a45c5b3 100644 --- a/CASA-auth-token/client/TODO +++ b/CASA-auth-token/client/TODO @@ -6,12 +6,13 @@ INTRODUCTION -This file contains a list of the items still outstanding for auth_token. +This file contains a list of the items still outstanding for auth_token +client components. Note: There are TODO lists under each auth_token component. This file just details outstanding items at the project level. OUTSTANDING ITEMS -- Add mechanism to try communicating with ATS over port 443 if communications - over port 2645 fail. +- Create Java binding to GetAuthToken() API. + diff --git a/CASA-auth-token/client/lib/README b/CASA-auth-token/client/lib/README index 60986c80..00735d67 100644 --- a/CASA-auth-token/client/lib/README +++ b/CASA-auth-token/client/lib/README @@ -34,6 +34,14 @@ interacting with ATSs, invoking the authentication mechanism plug-ins, and managing the authentication token cache. libcasa_c_authtoken also provides the Get Authentication Token API. +CONFIGURATION + +libcasa_c_authtoken has several configuration settings that can be modified to +change its default behavior. To modify the libcasa_c_authtoken configuration +you need to edit the client.conf file. The path to the client.conf file under +linux is /etc/CASA/authtoken/client/client.conf. The path to the client.conf file +under windows is \Program Files\novell\CASA\Etc\Auth\client.conf. + CONFIGURING ADDITIONAL AUTHENTICATION MECHANISM MODULES libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs. diff --git a/CASA-auth-token/client/lib/TODO b/CASA-auth-token/client/lib/TODO index 07ce4dc8..1281649f 100644 --- a/CASA-auth-token/client/lib/TODO +++ b/CASA-auth-token/client/lib/TODO @@ -10,4 +10,14 @@ This file contains a list of the items still outstanding for libcasa_c_authtoken OUTSTANDING ITEMS -None. +- Add mechanism to try communicating with ATS over port 443 if communications + over port 2645 fail. + +- Enhance the AuthMechanism interface to support authentication schemes that + require several token exchanges between the client and the server. This will + also require the enhancement of the client/server protocol utilized for + authentication. + +- Add mechanism to allow a user to either accept or reject server certificates + considered invalid. + diff --git a/CASA-auth-token/client/lib/mechanisms/krb5/README b/CASA-auth-token/client/lib/mechanisms/krb5/README index d2e696fd..2e358103 100644 --- a/CASA-auth-token/client/lib/mechanisms/krb5/README +++ b/CASA-auth-token/client/lib/mechanisms/krb5/README @@ -34,7 +34,6 @@ authentication. The mechanism leverages the services of the native Kerberos 5 client to obtain Kerberos Tokens that can be used for authenticating an entity to a Kerberos service. - SECURITY CONSIDERATIONS The tokens that krb5mech generates are only utilized to authenticate the client diff --git a/CASA-auth-token/client/lib/mechanisms/krb5/TODO b/CASA-auth-token/client/lib/mechanisms/krb5/TODO index d3df377c..ea7d8a8b 100644 --- a/CASA-auth-token/client/lib/mechanisms/krb5/TODO +++ b/CASA-auth-token/client/lib/mechanisms/krb5/TODO @@ -10,4 +10,7 @@ This file contains a list of the items still outstanding for krb5mech. OUTSTANDING ITEMS -None. +- Change to also do server authentication once the AuthMechanism interface + is enhanced to support authentication schemes that require several token + exchanges between the client and the server. Allow this to be configurable. +. diff --git a/CASA-auth-token/client/lib/mechanisms/pwd/TODO b/CASA-auth-token/client/lib/mechanisms/pwd/TODO index 08437725..848fe062 100644 --- a/CASA-auth-token/client/lib/mechanisms/pwd/TODO +++ b/CASA-auth-token/client/lib/mechanisms/pwd/TODO @@ -10,4 +10,8 @@ This file contains a list of the items still outstanding for pwmech. OUTSTANDING ITEMS -None. +- Allow the server to specify that Desktop credentials should not be + utilized. + +- Try to find way to remove credentials from miCASA cache which are + found to be invalid. diff --git a/CASA-auth-token/server-java/Jaas/src/com/novell/casa/jaas/CasaPrincipal.java b/CASA-auth-token/server-java/Jaas/src/com/novell/casa/jaas/CasaPrincipal.java index ef97808e..7628cf78 100644 --- a/CASA-auth-token/server-java/Jaas/src/com/novell/casa/jaas/CasaPrincipal.java +++ b/CASA-auth-token/server-java/Jaas/src/com/novell/casa/jaas/CasaPrincipal.java @@ -18,6 +18,8 @@ * To contact Novell about this file by physical or electronic mail, * you may find current contact information at www.novell.com. * + * Author: Juan Carlos Luciani + * ***********************************************************************/ package com.novell.casa.jaas; diff --git a/CASA-auth-token/server-java/README b/CASA-auth-token/server-java/README index 616da5a3..b8822c1c 100644 --- a/CASA-auth-token/server-java/README +++ b/CASA-auth-token/server-java/README @@ -82,18 +82,134 @@ The auth_token client/service protocol allows for the authentication of the clie auth_token relies in the server authentication mechanisms of SSL to verify the identity of the ATS. -IMPLEMENTATION STRATEGY AND CURRENT STATUS +REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS -auth_token is currently under development and is not ready to be used in production. -The implementation strategy has been to first complete the framework with all of its -modules, APIs, and packaging to allow application writters to start developing to it. -Once this is done, then the implementation focus will switch to completing the plumbing. + - Install Visual Studio 2005. + - Install Windows Platform SDK for Windows Server 2003 SP1. + - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for + Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with + Visual Studio. + - Install Cygwin - See instructions below. -As of this time, a lot of the framework has been completed and there are sample -applications that can be utilized to exercise it. For a more complete picture of where -we are, look at the various TODO lists present in the child folders. +Download and start cygwin install: +Browse to http://sources.redhat.com/cygwin/ -The schedule for completing auth_token is agressive. +Click on "Install or update now!" or "Install Cygwin now" + +Cygwin Setup: +Next + +Cygwin Setup - Choose Installation Type: +Install from Internet +Next + +Cygwin Setup - Choose Installation Directory: +Root Directory: C:\cygwin +Install For: "All Users" + +Default Text File Type: DOS + +Cygwin Setup - Select Local Package Directory: + Local Package Directory: C:\cygwin-packages + +Cygwin Setup - Select Connection Type: + Direct Connection + +Choose A Download Site: + ftp://ftp.nas.nasa.gov + +Cywin Setup - Select Packages: + Base: + defaults + + Devel: + autoconf + automake + libtool + make + pkgconfig + cvs + gcc + gcc-g++ + + Editors: + vim (optional) + + Net: + openssh + openssl + + Text: + more + + Utils: + clear (optional) + +Cygwin Setup - Create Icons: +Finish + +Edit cygwin.bat (c:\cygwin\cygwin.bat) to add a call to +%VS71COMNTOOLS%\vsvars32.bat (see example below). This sets up the +Visual Studio tools in Cygwin. + +Sample cygwin.bat: + +@echo off + +call "%VS71COMNTOOLS%\vsvars32.bat" > NUL + +C: +chdir C:\cygwin\bin + +bash --login -i + + +REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX + +Install needed RPMs. Look at BuildRequires line in CASA_auth_token_svc.spec.in file +in package/linux folder to see a list of RPM build dependencies. + +BUILDING THE SOFTWARE PACKAGE + +Windows: Start at Step 1. +Linux: Skip to Step 2. + +1. Run cygwin.bat to start up Cygwin. + +2. Generate autotools files: +./autogen.sh --prefix=/ [--enable-debug] +( is some writable directory where 'make install' will +install files for testing. + +3. To reconfigure later, or to configure software that came from a source +distribution (.tar.gz) file, use configure. +./configure --prefix/ [--enable-debug] +(run ./configure --help for more options) + +4. Select your make target, here are a few interesting ones: + +make [all] - build product files (package files not included) + +make clean - clean up files built by 'make all' + +make package - build product and package files + +make package-clean - clean up package files + +make install - install product files to specified by +--prefix during configure + +make uninstall - undo 'make install' + +make dist - build a source distribution tarball. + +make distclean - removes files to return state back to same as the +source distribution (configure, Makefile.in files, and other distributed +autotools files are not removed) + +make maintainer-clean - removes files to return state back to same as +the SVN checkout (you will need to run ./autogen.sh again before running +make again) SECURITY CONSIDERATIONS diff --git a/CASA-auth-token/server-java/Svc/README b/CASA-auth-token/server-java/Svc/README index 9d2a74fb..e90d11ce 100644 --- a/CASA-auth-token/server-java/Svc/README +++ b/CASA-auth-token/server-java/Svc/README @@ -326,7 +326,19 @@ CONFIGURING ADDITIONAL IDENTITY TOKEN PROVIDERS SECURITY CONSIDERATIONS -- TBD - +The ATS runs over Tomcat and by default receives requests over HTTPS on port 2645. For ease +of use, the basic ATS setup scrip creates a self-signed certificate to be used by SSL. The +use of self-signed certificates weakens the security properties of the SSL channel by forcing +clients to accept them. At this time, the default mode for auth_token clients is to allow +self signed-certificates. It is recommended that administrators obtain a certificate signed +by the appropriate authority and configure the ATS to use it and change the auth_token client +configuration to not accept invalid certificates to avoid this issue. + +CASA Authenticatication Tokens when compromised can be used to either impersonate +a user or to obtain identity information about the user. Because of this it is +important that the tokens be secured by applications making use of them. It is +recommended that the tokens be transmitted using SSL. + diff --git a/CASA-auth-token/server-java/Svc/TODO b/CASA-auth-token/server-java/Svc/TODO index 7b79a6c6..2b7224bd 100644 --- a/CASA-auth-token/server-java/Svc/TODO +++ b/CASA-auth-token/server-java/Svc/TODO @@ -10,10 +10,13 @@ This file contains a list of the items still outstanding for AuthTokenSvc. OUTSTANDING ITEMS -- Switch to a Web Services model where the Client/Server protocol uses SOAP.(This is under evaluation). +- Switch Client/Server communication to use SOAP.(This is under evaluation). - Add code to verify that client/server communications occur over HTTPS. - Add logging. - Create plug-in API for Identity Token Providers. - Change printfs used for debugging into a suitable mechanism. - Create tool to connect Tomcat instance to Apache Server and disabling port 2645 listener. +- Create tool to help administrators import certificates into the ATS's key store. +- Create tool to better edit the iaRealms file. +- Add identity token encryption capabilities. diff --git a/CASA-auth-token/server-java/TODO b/CASA-auth-token/server-java/TODO index e45eac67..d2fe93e0 100644 --- a/CASA-auth-token/server-java/TODO +++ b/CASA-auth-token/server-java/TODO @@ -6,11 +6,13 @@ INTRODUCTION -This file contains a list of the items still outstanding for auth_token. +This file contains a list of the items still outstanding for auth_token +server-java components. Note: There are TODO lists under each auth_token component. This file just details outstanding items at the project level. OUTSTANDING ITEMS -None. +- Create ATS Windows install. + diff --git a/CASA-auth-token/server/AuthTokenValidate/Svc/README b/CASA-auth-token/server/AuthTokenValidate/Svc/README index 84da76dc..223572ca 100644 --- a/CASA-auth-token/server/AuthTokenValidate/Svc/README +++ b/CASA-auth-token/server/AuthTokenValidate/Svc/README @@ -1,3 +1,4 @@ + /*********************************************************************** * * Copyright (C) 2006 Novell, Inc. All Rights Reserved. @@ -63,6 +64,11 @@ CasaAuthtokenValidateD has the following command line parameters: -d Optional parameter that specifies that the service must be run as a daemon. + -s + Do not use multiple threads to call into the JVM when invoking the authentication + token verification classes. This option was added to have a temporary work around + to bug present in Sun's JVM Invoke Interface (BUG221420). + SECURITY CONSIDERATIONS Appropriate rights need to be set on the folder used by CasaAuthtokenValidateD to diff --git a/CASA-auth-token/server/AuthTokenValidate/TODO b/CASA-auth-token/server/AuthTokenValidate/TODO index 730eb6f1..5d04c5e8 100644 --- a/CASA-auth-token/server/AuthTokenValidate/TODO +++ b/CASA-auth-token/server/AuthTokenValidate/TODO @@ -10,4 +10,4 @@ This file contains a list of the items still outstanding for libcasa_s_authtoken OUTSTANDING ITEMS -None. +- Add support for encrypted identity tokens. diff --git a/CASA-auth-token/server/README b/CASA-auth-token/server/README index 48d961e0..42dd2a98 100644 --- a/CASA-auth-token/server/README +++ b/CASA-auth-token/server/README @@ -82,113 +82,10 @@ The auth_token client/service protocol allows for the authentication of the clie auth_token relies in the server authentication mechanisms of SSL to verify the identity of the ATS. -IMPLEMENTATION STRATEGY AND CURRENT STATUS - -auth_token is currently under development and is not ready to be used in production. -The implementation strategy has been to first complete the framework with all of its -modules, APIs, and packaging to allow application writters to start developing to it. -Once this is done, then the implementation focus will switch to completing the plumbing. - -As of this time, a lot of the framework has been completed and there are sample -applications that can be utilized to exercise it. For a more complete picture of where -we are, look at the various TODO lists present in the child folders. - -The schedule for completing auth_token is agressive. - -REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS - - - Install Visual Studio .NET 2003 - - Install Windows Platform SDK for Windows Server 2003 SP1 - - Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with Visual Studio - - Install Cygwin - See instructions below. - - Extract Expat-2.0.0.zip in casa source directory parent - - Install Casa - -Download and start cygwin install: -Browse to http://sources.redhat.com/cygwin/ - -Click on "Install or update now!" or "Install Cygwin now" - -Cygwin Setup: -Next - -Cygwin Setup - Choose Installation Type: -Install from Internet -Next - -Cygwin Setup - Choose Installation Directory: -Root Directory: C:\cygwin -Install For: "All Users" - -Default Text File Type: DOS - -Cygwin Setup - Select Local Package Directory: - Local Package Directory: C:\cygwin-packages - -Cygwin Setup - Select Connection Type: - Direct Connection - -Choose A Download Site: - ftp://ftp.nas.nasa.gov - -Cywin Setup - Select Packages: - Base: - defaults - - Devel: - autoconf - automake - libtool - make - pkgconfig - cvs - gcc - gcc-g++ - - Editors: - vim (optional) - - Net: - openssh - openssl - - Text: - more - - Utils: - clear (optional) - -Cygwin Setup - Create Icons: -Finish - -Edit cygwin.bat (c:\cygwin\cygwin.bat) to add a call to -%VS71COMNTOOLS%\vsvars32.bat (see example below). This sets up the -Visual Studio tools in Cygwin. - -Sample cygwin.bat: - -@echo off - -call "%VS71COMNTOOLS%\vsvars32.bat" > NUL - -C: -chdir C:\cygwin\bin - -bash --login -i - - -REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX - -Install latest mono and mono-devel RPM - Obtain RPMs from -www.go-mono.org. - - BUILDING THE SOFTWARE PACKAGE -Windows: Start at Step 1. -Linux: Skip to Step 2. - -1. Run cygwin.bat to start up Cygwin. +1. Install needed RPMs. Look at BuildRequires line in CASA_auth_token_server.spec.in file +in package/linux folder to see a list of RPM build dependencies. 2. Generate autotools files: ./autogen.sh --prefix=/ [--enable-debug] @@ -222,7 +119,7 @@ source distribution (configure, Makefile.in files, and other distributed autotools files are not removed) make maintainer-clean - removes files to return state back to same as -the CVS checkout (you will need to run ./autogen.sh again before running +the SVN checkout (you will need to run ./autogen.sh again before running make again) SECURITY CONSIDERATIONS @@ -231,6 +128,10 @@ CASA Authentication Tokens when compromised can be used to either impersonate a user or to obtain identity information about the user. Because of this it is important that the tokens be secured by applications making use of them. It is recommended that the tokens be transmitted using SSL. + +Token validation requires the installation of the certificate used by ATSs to +sign the tokens. The software assumes that any certificate installed by the +administrator is valid. diff --git a/CASA-auth-token/server/TODO b/CASA-auth-token/server/TODO index ca5a4629..31edabc5 100644 --- a/CASA-auth-token/server/TODO +++ b/CASA-auth-token/server/TODO @@ -6,12 +6,13 @@ INTRODUCTION -This file contains a list of the items still outstanding for auth_token. +This file contains a list of the items still outstanding for auth_token +server components. Note: There are TODO lists under each auth_token component. This file just details outstanding items at the project level. OUTSTANDING ITEMS -- Add mechanism to try communicating with ATS over port 443 if communications - over port 2645 fail. +None. + diff --git a/CASA-auth-token/server/utilities/IpcLibs/README b/CASA-auth-token/server/utilities/IpcLibs/README index efdcea61..5e8f6dbf 100644 --- a/CASA-auth-token/server/utilities/IpcLibs/README +++ b/CASA-auth-token/server/utilities/IpcLibs/README @@ -93,11 +93,3 @@ tcp/ip and Domain sockets communications. By leveraging the File System Access Control features, you can scope communications that occur over Domain sockets to specific or groups of users. - - - - - - - - diff --git a/CASA-auth-token/server/utilities/IpcLibs/TODO b/CASA-auth-token/server/utilities/IpcLibs/TODO index f8074da2..6a7da05b 100644 --- a/CASA-auth-token/server/utilities/IpcLibs/TODO +++ b/CASA-auth-token/server/utilities/IpcLibs/TODO @@ -10,5 +10,5 @@ This file contains a list of the items still outstanding for IpcLibs. OUTSTANDING ITEMS -- Add APIs to allow for the senging of fragmented request and reply data. +- Add APIs to allow for the sending of fragmented request and reply data.