1 / 23

User Authentication Modules

User Authentication Modules. Leland Wallace Sr. Engineer AppleShare. Introduction. Overview What UAMs Do UAM Packaging How it Works Client API Server API Example NIS UAM Developer Opportunities. Overview.

jana
Download Presentation

User Authentication Modules

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. User Authentication Modules Leland Wallace Sr. Engineer AppleShare

  2. Introduction • Overview • What UAMs Do • UAM Packaging • How it Works • Client API • Server API • Example NIS UAM • Developer Opportunities

  3. Overview • AppleShare Client has supported User Authentication Module plug-ins (UAMs) since System 7. • Client UAM API updated and made transport independent. • ASIP 6.0 adds plug-in UAM API to the Server.

  4. What UAMs Do • Allow ASIP to fit into an existing authentication infrastructure • Kerberos, NIS (yellow pages), Windows NT Domains, NDS • Permit client to connect to different AFP servers using the server’s native authentication

  5. UAM Packaging • Server UAM • CFM library • Loaded by the ASIP Registry at startup • Called at deferred task time • Client UAM • Code resource • Loaded on demand • Called at main event time

  6. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works Example: AFP login Client gets the list of supported UAMs from the server. User chooses from the list of supported UAMs

  7. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works Client loads the selected UAM & calls UAMOpen()

  8. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works Client calls UAMLogin(), UAM opens the session with the OpenSession() callback

  9. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works Server passes the UAM request to the registry

  10. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works The Registry calls the Server UAM with the message from the client

  11. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works The Server UAM contacts an external Authentication server

  12. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works Replies from the Server UAM are sent back to the client along the reverse path. The Client UAM can send other messages via the SendMessage callback

  13. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works The Client UAM returns from the UAMLogin() call

  14. AppleShare Server AppleShare Client Client UAM ASIP Registry External Auth server Server UAM How it Works The Client calls UAMClose() and unloads the UAM

  15. Client UAM API • Single entry point • Three required commands: • UAMOpen, UAMLogin, UAMClose • Optional commands: • UAMPWDlog, UAMVSDlog, UAMChgPassDlg, • UAMChgPass, UAMGetInfoSize, UAMGetInfo • Callback functions: • GetClientInfo, OpenSession, SendMessage • CloseSession, SetMIC

  16. Server UAM API • Single entry point • One required command: • UAMAuthLogin • Optional commands: • UAMAuthLoginContinue, UAMAuthChangeKey • UAMAuthChangeKeyContinue, UAMGetMICKey • Server UAM API functionality • Get & Set user attributes • Change User ID • Create a new User • Put the UAM thread to sleep • Wakeup the UAM thread

  17. NIS (Yellow Pages) Example • Authenticates a user with an NIS server • If the user is not in the server’s registry, the UAM will create the user and assign them the proper group memberships • Requires that the server admin set up a proxy user for the UAM and set up groups

  18. NIS UAM Server UAM Client UAM INIT(){ Get the NIS domain name from the prefs Call yp_bind Initalize prng } UAMOpen(UAMArgs* nArgs){ Initalize prng Figure out the AFP version using the ClientInfo callback Return the config flags that specify the default UI } < User enters Name & Password in the login dialog> UAMLogin(UAMArgs* nArgs){ Generate first message in DH exchange (Ma) Using the user name passed in, build the AFP command Use the open session callback to connect to the server

  19. Client UAM Server UAM Login,AFPVers,NISProxy,NISUser,UserName,Ma OAMAuthenticate() { // state = kLoginState Get the User Name from the AuthInfo buffer Get Ma from the buffer Generate (Mb) the second message in the DH exchange from Rb Create the Key from Ma and Rb Save the username & the key in AuthStateOut Put Mb into the reply buffer Return kAuthContinue; } UAMLogin <continued> Get Mb out of the reply buffer Create the Key from Mb and Ra Take the password and encrypt it with the key Use the Send Message callback to send the encrypted password to the server AuthContinue, Mb

  20. Server UAM Client UAM LoginContinue,(Password)K OAMAuthenticate() { // state = kLoginContinueState Get the encrypted password from the AuthDataIn buffer Get the key from the authState Decrypt the encrypted passwrd with the key Get the username from the authState Call yp_match on the “passwd.byname” table to get the /etc/passwd style entry If the match succeeds Use the salt from the passwd entry and crypt() to verify the password from the user. If the user is authenticated, look the user up in the Registry If the user is not found Create the user using UAMCreateObject() Use yp_match again to get the group memberships Add the user to the proper groups Call UAMChangeUID() to change to the proper user Return noErr } noError

  21. Server UAM Client UAM UAMLogin <continued> return the session reference number } UAMClose(){ clean up any data structures }

  22. Developer Opportunities • Kerberos-based UAM • LDAP-based UAM • License UAM • Java UAM • Smartcard-based UAM • Looking for a Windows PDC UAM

  23. Where to go from here Check the AppleShare IP website for documentation and SDK info http://www.apple.com/appleshareip/ Email me (randall@apple.com) to get the latest UAM SDK

More Related