Authenication

Kenneth Foster fosterk "at" aenigma.net
Mon, 07 Aug 2000 22:48:35 +0000


Awkward on Linux?  Thats what SAMBA is.  I haven't found it to be that hard,
if you read the docs.  I must admit I haven't seen it on a Mac.  But I
haven't seen much on a MAC lately, except day-glo colors. Just kidding.

The main reason I went this route is that you could really get tricky with
it.  The reality is, you only really need to modify the "server" part of
VNC.  The Clients don't need much if any modification at all.

The client connects to the Server, during the connection hand shake they
exchange "authentication mechanisms"  If it is an older client then it used
the normal authentication.  If it is an enhanced client then it can pass
more information such as UserName and Password, or even more if you want.
This part could be done using any protocol you want, even RFB.

The Server is heavily modified.  It knows how to speak SMB and RFB.  If
during the authentication sequence it get an EnhancedClient it could pass
the UserName, PassWord, and ComputerName (where its installed) to a Domain
Controller.  The Domain Controller does the authentication.  If it says yay
then they get in, if not then they are denied.  The server would know about
the domain controller either as part of the install or some other form of
configuration.

For the people that want authentication without NT I suppose someone could
build a VNC authentication server.  This would be a standalone piece of
software who's sole purpose is to authenticate a list of users.  The
authentication server could potentially run on about anything that SAMBA
runs on (since thats basically what it is)

Now for the real fun, Services for UNIX version 2.  If you used NT or W2K,
you could also do RADIUS authentication and NIS authentication even though
the VNC client/server only speaks SMB.



Now, back to why a local database file is a bad approach.  In large
organizations we have spent considerable time and effort coming up with ways
to centralize authentication.  Why would I want to start tearing down that
authentication.  If you used a local database then you have to manage
passwords in multiple locations.  If you give a contractor access in
multiple spots you need to remove those spots when he/she leaves, or suffer
the security consequences.  I agree that the local database idea is easier.
I would, however, argue that easier isn't always better.

Just my 2.5 cents worth.


Ken Foster

-----Original Message-----
From: owner-vnc-list "at" uk.research.att.com
[mailto:owner-vnc-list "at" uk.research.att.com]On Behalf Of Jonathan Morton
Sent: Monday, August 07, 2000 3:25 PM
To: vnc-list "at" uk.research.att.com
Subject: RE: Authenication


>I have found someone that is interested in potentially writing the User
>Authentication for VNC.  I have an RFP at
>http://www.cosource.com/cgi-bin/cos.pl/wish/info/346 that details one way
>this could be done.  The way I have described isn't the only way and we
>could come up with a detailed method later after we have committed some
>money to the project.

One Big Problem with your approach there - it relies on SMB, which is
awkward to set up on Linux and near-impossible on Macs.  I'd prefer to use
a simple, TCP-based connection to a server which can be on any platform, or
the option to use a local database file.  Also, some way of implementing
the "username" request would be needed in the RFB protocol itself, which is
_very_ hard to do without breaking compatibility.

--------------------------------------------------------------
from:     Jonathan "Chromatix" Morton
mail:     chromi "at" cyberspace.org  (not for attachments)
uni-mail: j.d.morton "at" lancaster.ac.uk

The key to knowledge is not to rely on people to teach you it.

Get VNC Server for Macintosh from http://chromatix.autistics.org/vnc/

-----BEGIN GEEK CODE BLOCK-----
Version 3.12
GCS$/E/S dpu(!) s:- a19 C+++ UL++ P L+++ E W+ N- o? K? w--- O-- M++$ V? PS
PE- Y+ PGP++ t- 5- X- R !tv b++ DI+++ D G e+ h+ r- y+
-----END GEEK CODE BLOCK-----
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------
---------------------------------------------------------------------
To unsubscribe, send a message with the line: unsubscribe vnc-list
to majordomo "at" uk.research.att.com
See also: http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------