Post on 17-Jan-2016
User Authentication
Modules
Leland Wallace
Sr. Engineer AppleShare
Introduction
• Overview• What UAMs Do• UAM Packaging• How it Works• Client API• Server API• Example NIS UAM• Developer Opportunities
• Overview• What UAMs Do• UAM Packaging• How it Works• Client API• Server API• Example NIS UAM• Developer Opportunities
Overview
• AppleShare Client has supported User Authentication Module plug-ins (UAMs) since System 7.
• Client UAM API updated and made transport independent.
• ASIP 6.0 adds plug-in UAM API to the Server.
• AppleShare Client has supported User Authentication Module plug-ins (UAMs) since System 7.
• Client UAM API updated and made transport independent.
• ASIP 6.0 adds plug-in UAM API to the Server.
What UAMs Do
• Allow ASIP to fit into an existing authentication infrastructure– Kerberos, NIS (yellow pages),
Windows NT Domains, NDS • Permit client to connect to
different AFP servers using the server’s native authentication
• Allow ASIP to fit into an existing authentication infrastructure– Kerberos, NIS (yellow pages),
Windows NT Domains, NDS • Permit client to connect to
different AFP servers using the server’s native authentication
UAM Packaging
• Server UAM – CFM library– Loaded by the ASIP Registry at startup– Called at deferred task time
• Client UAM– Code resource– Loaded on demand– Called at main event time
• Server UAM – CFM library– Loaded by the ASIP Registry at startup– Called at deferred task time
• Client UAM– Code resource– Loaded on demand– Called at main event time
How it Works
Client gets the list of supported UAMs from the server.
User chooses from the list of supported UAMs
Example: AFP login
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
Client loads the selected UAM & calls UAMOpen()
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
Client calls UAMLogin(),
UAM opens the session with the OpenSession() callback
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
Server passes the UAM request to the registry
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
The Registry calls the Server UAM
with the message from the client
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
The Server UAM contacts an external Authentication server
External Auth server
ClientUAM
How it Works
Replies from the Server UAM are sent back to the client along
the reverse path. The Client UAM can send other messages via the SendMessage callback
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
The Client UAM returns from the UAMLogin() call
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
How it Works
The Client calls UAMClose() and unloads the UAM
AppleShare Client AppleShare Server
ASIP Registry
ServerUAM
External Auth server
ClientUAM
Client UAM API• Single entry point • Three required commands:
– UAMOpen, UAMLogin, UAMClose• Optional commands:
– UAMPWDlog, UAMVSDlog, UAMChgPassDlg, – UAMChgPass, UAMGetInfoSize, UAMGetInfo
• Callback functions:– GetClientInfo, OpenSession, SendMessage– CloseSession, SetMIC
• Single entry point • Three required commands:
– UAMOpen, UAMLogin, UAMClose• Optional commands:
– UAMPWDlog, UAMVSDlog, UAMChgPassDlg, – UAMChgPass, UAMGetInfoSize, UAMGetInfo
• Callback functions:– GetClientInfo, OpenSession, SendMessage– CloseSession, SetMIC
Server UAM API• Single entry point• One required command:
– UAMAuthLogin• Optional commands:
– UAMAuthLoginContinue, UAMAuthChangeKey– UAMAuthChangeKeyContinue, UAMGetMICKey
• Server UAM API functionality– Get & Set user attributes– Change User ID– Create a new User– Put the UAM thread to sleep– Wakeup the UAM thread
• Single entry point• One required command:
– UAMAuthLogin• Optional commands:
– UAMAuthLoginContinue, UAMAuthChangeKey– UAMAuthChangeKeyContinue, UAMGetMICKey
• Server UAM API functionality– Get & Set user attributes– Change User ID– Create a new User– Put the UAM thread to sleep– Wakeup the UAM thread
• Authenticates a user with an NIS server
• If the user is not in the server’s registry, the UAM will create the user and assign them the proper group memberships
• Requires that the server admin set up a proxy user for the UAM and set up groups
• Authenticates a user with an NIS server
• If the user is not in the server’s registry, the UAM will create the user and assign them the proper group memberships
• Requires that the server admin set up a proxy user for the UAM and set up groups
NIS (Yellow Pages) Example
INIT(){ Get the NIS domain name from the prefsCall yp_bindInitalize prng
}
UAMOpen(UAMArgs* nArgs){Initalize prngFigure out the AFP version using the ClientInfo callbackReturn the config flags that specify the default UI
}
< User enters Name & Password in the login dialog>
UAMLogin(UAMArgs* nArgs){Generate first message in DH exchange (Ma)Using the user name passed in, build the AFP commandUse the open session callback to connect to the server
INIT(){ Get the NIS domain name from the prefsCall yp_bindInitalize prng
}
UAMOpen(UAMArgs* nArgs){Initalize prngFigure out the AFP version using the ClientInfo callbackReturn the config flags that specify the default UI
}
< User enters Name & Password in the login dialog>
UAMLogin(UAMArgs* nArgs){Generate first message in DH exchange (Ma)Using the user name passed in, build the AFP commandUse the open session callback to connect to the server
NIS UAMServer UAM Client UAM
OAMAuthenticate() { // state = kLoginStateGet the User Name from the AuthInfo bufferGet Ma from the buffer Generate (Mb) the second message in the DH exchange from RbCreate the Key from Ma and RbSave the username & the key in AuthStateOutPut Mb into the reply bufferReturn kAuthContinue;
}
UAMLogin <continued>Get Mb out of the reply bufferCreate the Key from Mb and RaTake the password and encrypt it with the keyUse the Send Message callback to send the encrypted
password to the server
OAMAuthenticate() { // state = kLoginStateGet the User Name from the AuthInfo bufferGet Ma from the buffer Generate (Mb) the second message in the DH exchange from RbCreate the Key from Ma and RbSave the username & the key in AuthStateOutPut Mb into the reply bufferReturn kAuthContinue;
}
UAMLogin <continued>Get Mb out of the reply bufferCreate the Key from Mb and RaTake the password and encrypt it with the keyUse the Send Message callback to send the encrypted
password to the server
Login,AFPVers,NISProxy,NISUser,UserName,Ma
Server UAMClient UAM
AuthContinue, Mb
OAMAuthenticate() { // state = kLoginContinueStateGet the encrypted password from the AuthDataIn bufferGet the key from the authStateDecrypt the encrypted passwrd with the key Get the username from the authStateCall yp_match on the “passwd.byname” table to get the
/etc/passwd style entryIf the match succeeds
Use the salt from the passwd entry and crypt() to verifythe password from the user.
If the user is authenticated, look the user up in the RegistryIf the user is not found
Create the user using UAMCreateObject()Use yp_match again to get the group membershipsAdd the user to the proper groups
Call UAMChangeUID() to change to the proper userReturn noErr
}
OAMAuthenticate() { // state = kLoginContinueStateGet the encrypted password from the AuthDataIn bufferGet the key from the authStateDecrypt the encrypted passwrd with the key Get the username from the authStateCall yp_match on the “passwd.byname” table to get the
/etc/passwd style entryIf the match succeeds
Use the salt from the passwd entry and crypt() to verifythe password from the user.
If the user is authenticated, look the user up in the RegistryIf the user is not found
Create the user using UAMCreateObject()Use yp_match again to get the group membershipsAdd the user to the proper groups
Call UAMChangeUID() to change to the proper userReturn noErr
}
Server UAM Client UAM
LoginContinue,(Password)K
noError
Server UAM Client UAM
UAMLogin <continued> return the session reference number
}
UAMClose(){clean up any data structures
}
Developer Opportunities
•Kerberos-based UAM•LDAP-based UAM•License UAM•Java UAM•Smartcard-based UAM•Looking for a Windows PDC UAM
•Kerberos-based UAM•LDAP-based UAM•License UAM•Java UAM•Smartcard-based UAM•Looking for a Windows PDC UAM
Where to go from here
Check the AppleShare IP website for documentation and SDK info
http://www.apple.com/appleshareip/
Email me (randall@apple.com) to get thelatest UAM SDK
Check the AppleShare IP website for documentation and SDK info
http://www.apple.com/appleshareip/
Email me (randall@apple.com) to get thelatest UAM SDK