Updated README and TODO files to reflect the current state of the
project.
This commit is contained in:
Juan Carlos Luciani
@@ -82,26 +82,15 @@ The auth_token client/service protocol allows for the authentication of the clie
|
||||
auth_token relies in the server authentication mechanisms of SSL to verify the identity
|
||||
of the ATS.
|
||||
|
||||
IMPLEMENTATION STRATEGY AND CURRENT STATUS
|
||||
|
||||
auth_token is currently under development and is not ready to be used in production.
|
||||
The implementation strategy has been to first complete the framework with all of its
|
||||
modules, APIs, and packaging to allow application writters to start developing to it.
|
||||
Once this is done, then the implementation focus will switch to completing the plumbing.
|
||||
|
||||
As of this time, a lot of the framework has been completed and there are sample
|
||||
applications that can be utilized to exercise it. For a more complete picture of where
|
||||
we are, look at the various TODO lists present in the child folders.
|
||||
|
||||
The schedule for completing auth_token is agressive.
|
||||
|
||||
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON WINDOWS
|
||||
|
||||
- Install Visual Studio .NET 2003
|
||||
- Install Windows Platform SDK for Windows Server 2003 SP1
|
||||
- Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with Visual Studio
|
||||
- Install Visual Studio 2005.
|
||||
- Install Windows Platform SDK for Windows Server 2003 SP1.
|
||||
- Register the platform sdk with VS - Start/All Programs/Windows Platform SDK for
|
||||
Windows Server 2003 SP1/Visual Studio Registration/Register PSDK Directories with
|
||||
Visual Studio.
|
||||
- Install Cygwin - See instructions below.
|
||||
- Extract Expat-2.0.0.zip in casa source directory parent
|
||||
- Extract Expat-2.0.0.zip in casa source directory parent.
|
||||
- Install Casa
|
||||
|
||||
Download and start cygwin install:
|
||||
@@ -179,9 +168,8 @@ bash --login -i
|
||||
|
||||
REQUIREMENTS FOR BUILDING THE SOFTWARE PACKAGE ON LINUX
|
||||
|
||||
Install latest mono and mono-devel RPM - Obtain RPMs from
|
||||
www.go-mono.org.
|
||||
|
||||
Install needed RPMs. Look at BuildRequires line in CASA_auth_token_server.spec.in file
|
||||
in package/linux folder to see a list of RPM build dependencies.
|
||||
|
||||
BUILDING THE SOFTWARE PACKAGE
|
||||
|
||||
@@ -222,7 +210,7 @@ source distribution (configure, Makefile.in files, and other distributed
|
||||
autotools files are not removed)
|
||||
|
||||
make maintainer-clean - removes files to return state back to same as
|
||||
the CVS checkout (you will need to run ./autogen.sh again before running
|
||||
the SVN checkout (you will need to run ./autogen.sh again before running
|
||||
make again)
|
||||
|
||||
SECURITY CONSIDERATIONS
|
||||
@@ -231,6 +219,15 @@ CASA Authentication Tokens when compromised can be used to either impersonate
|
||||
a user or to obtain identity information about the user. Because of this it is
|
||||
important that the tokens be secured by applications making use of them. It is
|
||||
recommended that the tokens be transmitted using SSL.
|
||||
|
||||
Currently, the Authentication Token Client defaults to allow the setup of SSL
|
||||
connections with an ATS even if the Certificate presented by the ATS is considered
|
||||
invalid. In this mode, it is possible for a malicious user to set up a server which
|
||||
impersonates an ATS for the purpose of acquiring user credentials. This default
|
||||
will be modified once we implement a mechanism to give the user the option of either
|
||||
approving or rejecting a certificate. If this behavior is un-acceptable to you then
|
||||
you can configure the client to not allow SSL connections to be setup with invalid
|
||||
server certificates by modifying the settings present in the client.conf file.
|
||||
|
||||
|
||||
|
||||
|
||||
@@ -6,12 +6,13 @@
|
||||
|
||||
INTRODUCTION
|
||||
|
||||
This file contains a list of the items still outstanding for auth_token.
|
||||
This file contains a list of the items still outstanding for auth_token
|
||||
client components.
|
||||
|
||||
Note: There are TODO lists under each auth_token component. This file just
|
||||
details outstanding items at the project level.
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
- Add mechanism to try communicating with ATS over port 443 if communications
|
||||
over port 2645 fail.
|
||||
- Create Java binding to GetAuthToken() API.
|
||||
|
||||
|
||||
@@ -34,6 +34,14 @@ interacting with ATSs, invoking the authentication mechanism plug-ins, and
|
||||
managing the authentication token cache. libcasa_c_authtoken also provides
|
||||
the Get Authentication Token API.
|
||||
|
||||
CONFIGURATION
|
||||
|
||||
libcasa_c_authtoken has several configuration settings that can be modified to
|
||||
change its default behavior. To modify the libcasa_c_authtoken configuration
|
||||
you need to edit the client.conf file. The path to the client.conf file under
|
||||
linux is /etc/CASA/authtoken/client/client.conf. The path to the client.conf file
|
||||
under windows is \Program Files\novell\CASA\Etc\Auth\client.conf.
|
||||
|
||||
CONFIGURING ADDITIONAL AUTHENTICATION MECHANISM MODULES
|
||||
|
||||
libcasa_c_authtoken utilizes mechanism plug-ins for authenticating to ATSs.
|
||||
|
||||
@@ -10,4 +10,14 @@ This file contains a list of the items still outstanding for libcasa_c_authtoken
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
None.
|
||||
- Add mechanism to try communicating with ATS over port 443 if communications
|
||||
over port 2645 fail.
|
||||
|
||||
- Enhance the AuthMechanism interface to support authentication schemes that
|
||||
require several token exchanges between the client and the server. This will
|
||||
also require the enhancement of the client/server protocol utilized for
|
||||
authentication.
|
||||
|
||||
- Add mechanism to allow a user to either accept or reject server certificates
|
||||
considered invalid.
|
||||
|
||||
|
||||
@@ -34,7 +34,6 @@ authentication. The mechanism leverages the services of the native Kerberos 5
|
||||
client to obtain Kerberos Tokens that can be used for authenticating an entity
|
||||
to a Kerberos service.
|
||||
|
||||
|
||||
SECURITY CONSIDERATIONS
|
||||
|
||||
The tokens that krb5mech generates are only utilized to authenticate the client
|
||||
|
||||
@@ -10,4 +10,7 @@ This file contains a list of the items still outstanding for krb5mech.
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
None.
|
||||
- Change to also do server authentication once the AuthMechanism interface
|
||||
is enhanced to support authentication schemes that require several token
|
||||
exchanges between the client and the server. Allow this to be configurable.
|
||||
.
|
||||
|
||||
@@ -10,4 +10,8 @@ This file contains a list of the items still outstanding for pwmech.
|
||||
|
||||
OUTSTANDING ITEMS
|
||||
|
||||
None.
|
||||
- Allow the server to specify that Desktop credentials should not be
|
||||
utilized.
|
||||
|
||||
- Try to find way to remove credentials from miCASA cache which are
|
||||
found to be invalid.
|
||||
|
||||
Reference in New Issue
Block a user