1. Password? CLASP Project FOCUS Meeting, 12 October 2000 Denise Heagerty, IT/IS

2. Outline  What is CLASP? Common Login and Access rights across Service Plan Project Goal Project Milestones so far  Phase 1 Results Service survey results Feasibility study results Common Access Rights  Phase 2 Proposal Phase 2 Deliverables Phase 2 Milestones

3.  Propose a detailed plan to reduce the number of login/passwords entered by users to access services they are authorised to use Project Goal “Single Sign On” Access Control +

4. Project Scope  Address computing services offered by at least IT and AS Divisions  Normal user access from in or outside CERN  Target Linux and W2000 for web, mail, interactive (telnet, X, ftp) and file (AFS, NICE) access  Focus on a common solution, even if it does not cover all services today  Define security levels and password policy elimination of clear-text passwords is desirable

5. Project Milestones so far Dec 1999: Project Mandate defined  Goal, Background, Purpose, Scope, Phases http://cern.ch/proj-clasp Jun 2000: Phase 1 initial results  Service Survey and Feasibility Study what we have now and what is possible for the future Oct 2000: Phase 2 Proposal available:  Detailed Implementation Plans which services and how they will change

6. Service Survey Results  Service Survey at http://cern.ch/proj-clasp  Survey lists more than 30 different user services in IT, AS, EST, SL and ST Division using more than 12 different passwords  Most IT services use a common loginid centrally managed in CCDB database AS Division integration is in progress  Some password harmonisation exists where easily possible  The explosion of different loginid/password pairs is mainly driven by web authors

7. Feasibility Study Results  Kerberos v5 provides a good basis for common authentication and Single Sign On infrastructure available in W2000 and Linux RH v6.2 standard application interfaces (RFC 2078, MS-SSPI)  Some PKI (Public Key Infrastructure) is required for GRID applications Can be integrated with Kerberos v5 Single Sign On  Enhanced security is essential to overcome the vulnerability of the initial sign on  We need to control the explosion of web loginid/password pairs need to consider non-Kerberos solutions

8. Key applications known to support Kerberos v5  Mail IMAP server (U of Washington) - Yes! Outlook and Pine - Yes! Netscape - No  Interactive Commands telnet, ftp, rcp, rlogin: UNIX - Yes! / W2000 - Yes? Exceed: Yes!  File Access (single platform) AFS - Yes (via Kerberos v4 extension on UNIX KDC) Microsoft DFS: W2000 - Yes!  Web Internet Explorer - Yes Netscape - No

9. Common Access Rights  Key/Initial applications: distribution lists web page protection file protections  Concept of “e-groups” looks useful electronic grouping of people/accounts defined centrally and made available to applications LDAP / Active Directory play a key role work is in progress

10. Password? CLASP Phase 2 Proposal

11. Phase 2 Deliverables  Implementation plan for the base authentication service Kerberos v5 with support for AFS and Grid certificates  Implementation plans for services mail, web (IT & AIS), interactive (login, telnet, ftp, Exceed, ssh), file (AFS, Windows DFS), batch (LSF), Oracle and future GRID services  Final Recommendations security review, password (check and change) policy, opt-out mechanism, off-site access, platform independent access control for web pages, files and listbox e-mail lists

12. Services included in Phase 2 Services included in Phase 2 Base authentication service:  Kerberos v5 with support for AFS and Grid Application Services:  mail  web (IT and AIS services)  file access (AFS and Windows DFS)  interactive (login, telnet, ftp, Exceed, ssh)  batch (LSF)  Oracle  future GRID services

13. Phase 2 will conclude with:  Base Authentication Service defined  Service/Application implementation plans  An opt-out mechanism for special cases  Security review and password (check & change) policy  Recommendations for off-site access including CERN and non-CERN portables  Proposal for common access control for web pages, files and listbox e-mail lists

14. Phase 2 Milestones Oct 2000:  Test authentication environment available serving Kerberos v5, AFS, and Grid certificates available to services preparing implementation plans Feb 2001:  Implementation plans available for a production authentication service most IT and AS services May 2001:  Final proposal available security review, off-site access, access control added presentations to C5, FOCUS and Desktop Forum

15. Password? http://cern.ch/proj-clasp CLASP studies have been made in collaboration with many colleagues both inside and outside IT Division - Thanks!