Architecture for the TwoFactor Authentication Service (This page is Obsolete - Do Not Migrate)
The TwoFactor service makes use of technology developed by CRYPTOCard (
http://www.cryptocard.com), using their KT-1 tokens. KT-1 tokens are similar to SecurID tokens except the KT-1 tokens don't expire (just replace the batteries) and don't suffer from timing issues. The code on the KT-1 token doesn't change automatically, you instead push a button.
The authentication service itself is provided by two servers running Linux and the CRYPTO-Server software. One server is the "master" and the other is a replica. Management of the service is done via a Linux or Windows desktop computer running the CRYPTO-Console software and a KT-1 token initializer device hooked-up via USB. Use of the service is accomplished either via the installation of an agent or by using RADIUS. There is an agent for Windows domain controllers. On *nix and Darwin, we use the pam-radius module.
Please note that this is an authentication service, not an authorization service. Management of authorization is best done by the clients of the service (eg. a sudoers file on a Linux host, or a "Domain Admins" group in an Active Directory domain/forest).
Server Information
All servers used by the
TwoFactor authentication service are VMware Server virtual machines hosted by a set of six SunFire x2100 servers. Three to the physical servers are located in DC 3558, the other three are housed in MC 3015. The host operating system is Ubuntu 6.06 Server (amd64).
watiknow.cscf (Linux) - Houses the master CRYPTO-Server that provides the core of the
TwoFactor authentication service. This host also houses a freeRadius server that acts as the primary authorization server for CSCF switches and firewalls.
watihave.cscf (Linux) - Houses the replica CRYPTO-Server that provides the core of the
TwoFactor authentication service. This host also houses a freeRadius server that acts as a backup authorization server for CSCF switches and firewalls.
tenera, julia, exusta (Windows 2003 Server) - Domain controllers for the
sysadmins.cscf.uwaterloo.ca
Active Directory domain. All authentication in this domain is done via
watiknow.cscf
and
watihave.cscf
.
borealis (Windows 2003 Server) - Terminal Server in the
sysadmins.cscf.uwaterloo.ca
domain for CSCF staff to login and perform administration tasks within the
cscf.uwaterloo.ca
AD forest.
Server Locations
Host |
Location |
Virtual Machines |
vmhost202.cscf |
DC 3558 |
watiknow.cscf, test server |
vmhost208.cscf |
MC 3015 |
watihave.cscf, test server |
vmhost210.cscf |
MC 3015 |
exusta, tenera |
vmhost212.cscf |
MC 3015 |
borealis, julia |
--
JasonTestart - 31 May 2007