Architecture for the TwoFactor Authentication Service
The TwoFactor service makes use of technology developed by CRYPTOCard (http://www.cryptocard.com
), using their KT-1 tokens. KT-1 tokens are similar to SecurID tokens except the KT-1 tokens don't expire (just replace the batteries) and don't suffer from timing issues. The code on the KT-1 token doesn't change automatically, you instead push a button.
The authentication service itself is provided by two servers running Linux and the CRYPTO-Server software. One server is the "master" and the other is a replica. Management of the service is done via a Linux or Windows desktop computer running the CRYPTO-Console software and a KT-1 token initializer device hooked-up via USB. Use of the service is accomplished either via the installation of an agent or by using RADIUS. There is an agent for Windows domain controllers. On *nix and Darwin, we use the pam-radius module.
Please note that this is an authentication service, not an authorization service. Management of authorization is best done by the clients of the service (eg. a sudoers file on a Linux host, or a "Domain Admins" group in an Active Directory domain/forest).
Server Information
All servers used by the TwoFactor authentication service are VMware Server virtual machines hosted by a set of six SunFire x2100 servers. Three to the physical servers are located in DC 3558, the other three are housed in MC 3015. The host operating system is Ubuntu 6.06 Server (amd64). watiknow.cscf (Linux) - Houses the master CRYPTO-Server that provides the core of the TwoFactor authentication service. This host also houses a freeRadius server that acts as the primary authorization server for CSCF switches and firewalls. watihave.cscf (Linux) - Houses the replica CRYPTO-Server that provides the core of the TwoFactor authentication service. This host also houses a freeRadius server that acts as a backup authorization server for CSCF switches and firewalls. tenera, julia, exusta (Windows 2003 Server) - Domain controllers for thesysadmins.cscf.uwaterloo.ca Active Directory domain. All authentication in this domain is done via watiknow.cscf and watihave.cscf.
borealis (Windows 2003 Server) - Terminal Server in the sysadmins.cscf.uwaterloo.ca domain for CSCF staff to login and perform administration tasks within the cscf.uwaterloo.ca AD forest.
Server Locations
| Host | Location | Virtual Machines |
|---|---|---|
| vmhost202.cscf | DC 3558 | watiknow.cscf, test server |
| vmhost208.cscf | MC 3015 | watihave.cscf, test server |
| vmhost210.cscf | MC 3015 | exusta, tenera |
| vmhost212.cscf | MC 3015 | borealis, julia |
| I | Attachment | History | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|---|
 png |
TwoFactor.png | r4 r3 r2 r1 | manage | 104.2 K | 2006-05-04 - 09:24 | JasonTestart |
Topic revision: r16 - 2007-05-31 - JasonTestart
Information in this area is meant for use by CSCF staff and is not official documentation, but anybody who is interested is welcome to use it if they find it useful.
- CF Web
- CF Web Home
- Changes
- Index
- Search
- Administration
- Communication
- Hardware
- HelpDeskGuide
- Infrastructure
- InternalProjects
- Linux
- MachineNotes
- Macintosh
- Management
- Networking
- Printing
- Research
- Security
- Software
- Solaris
- StaffStuff
- TaskGroups
- TermGoals
- Teaching
- UserSupport
- Vendors
- Windows
- XHier
- Other Webs
- My links
 |
|
Copyright © 2008-2024 by the contributing authors. All material on this collaboration platform is the property of the contributing authors. Ideas, requests, problems regarding TWiki? Send feedback