Authentication Task Group Meeting Minutes 2008/06/26

Agenda / Discussion

• Date: 2008/06/26
• Time: 10:00am-11:35am

• Membership
  • invitees: Mike P, Dave, Adrian, Lawrence, Clayton, Walter
  • observers: Isaac
• Attendees at today's meeting
  • Clayton, Adrian, Lawrence, Isaac, Dave, Mike P
• who else should be invited?
  • Omar?
  • Guoxiang?
  • Phil?
• Web pages
  • Authentication Task Group: https://www.cs.uwaterloo.ca/twiki/view/CF/AuthenticationTaskGroup
  • CS AD: https://www.cs.uwaterloo.ca/twiki/view/CF/CSCFActiveDirectory
  • Two Factor Service: https://www.cs.uwaterloo.ca/twiki/view/CFPrivate/TwoFactorAdministration
• Purpose of the group
  • Deciding direction for authentication services
  • Working out technical details for implementing those services
    • Populating the Active Directory
    • how to use for authentication and authorization
      • platform-specific issues
  • Understanding who is doing what
  • Informing other CSCF/CS staff on usage

• Where are we going (and timing?)
  • single-secure authentication for all CS resources
    • Solaris
      • Solaris8
        • no AD support planned -> upgrade!
      • Solaris10 (some services machines for now, eg: maildir)
        • upgrade all CPU and services machines to Solaris10 * Core region by Jan. 2009 * Front-end (fe-solaris) by Sept. 2008 * student regions by Jan. 2009 * research regions - tbd
    • Windows
      • Windows XP/2003 Server
      • Windows Vista
    • Linux
      • Ubuntu8
        • services machines
          • Front-end (fe-linux) Walter/Clayton
        • grad PCs (by September 2008)
          • Walter/Clayton
          • MP: would like password complexity rules are enforced
    • Mac
      • Teaching region - authenticate off AD, management using OpenDirectory
        • "Golden Triangle"
    • cleaning up /etc/shells
    • Research regions

• Where we are now?
  • passwd info (UID/GID/Gecos, etc.) is in the AD for the core region
  • shells/home directories, etc. assume homogeneous environment within a region
  • 8-character passwords will still be a problem in the CS core until core machines authenticate off AD

• what needs to happen
  • updating AD when accounts info is updated
  • need to agree on what /etc/shells should contain
  • need to set up shells in a known location
  • need to populate the AD, changing users' current shell to closest standard shell
  • check with Ray why restricted shells are in /etc/shells Adrian
  • MFCF login will no longer be used
  • eliminate SetPW (See ST#...)
  • eliminate accounts* package except Adminmaster and ?
  • NFS-mounted /u - make core & student region the same
  • auto-lockout logins for 5 minutes after repeated (3?) failures

• other issues
  • platform-specific mechanisms for managing admin info
  • short vs long userid directory
  • password change in the core truncates to 8 characters when sent to AD
    • when core machines use AD and MFCF passwd not used, then will be ok
    • in the meantime, what about a warning??

• Specific projects
  • Clayton - authenticating Solaris machines against our AD
  • Walter/Clayton - authenticating Linux clients against AD?

• Hurdles
  • shells are broken for Macs
  • group files - mapping logical unix group name to AD name
    • Mac groups
    • Group names and usernames can't be the same in AD * avoided by appending "_group" to group name * uses full name - length limits?
  • 8-character passwords

• Next meeting (if needed)
  • 2nd week of August - go/no go re:gradPC clients
    • invite Phil

• Future topics
  • Web authentications (Isaac)
    • needs "zillions" of groups for web applications/email mailing lists

• Action items
  • Adrian: check with Ray why restricted shells are in /etc/shells
  • Dave: create an ST on maintaining system files everywhere
  • Adrian: NFS-mounted /u - make core like student region
  • Clayton: Windows auto-lockout logins for 5 minutes after repeated (3?) failures
  • MP: Linux auto-lockout logins for 5 minutes after repeated (3?) failures
  • Walter/Clayton - Linux AD authentication by Sept. 2008