Using GatorLink Authentication

This document is directed at a systems administrator who is interested in authenticating some set of services against GatorLink IDs. If the preceeding sentence sounds like gobbledygook to you, prepare to be very bored if you read on.

What is GatorLink?

GatorLink is an authentication infrastructure, a directory service, and some associated services, provided by CIRCA and NERDC to the University of Florida

What does this mean?

Authentication Infrastructure

Authentication is the process of figuring out if a person really is who they say they are. GatorLink services are authenticated using the Kerberos protocol.

Directory Service

If you know that "userboo" is in fact who they say they are, who are they? GatorLink's Directory services allow people to map a GatorLink ID to a human being, in order to better decide what kinds of services that human is due. GatorLink's Directory services are provided by ... LDAP? X.500? ....

Services

It is anticiapted that there will be many GatorLink services created around campus. We're attempting to maintain a list of them on the GatorLink Services page. Since these services are, by design, not centrally managed, we can't guaruntee that all of the entries on this page will be up-to-date.

OK, what do I do about it?

In order to set up a service which will authenticate against GatorLink, you will need to consider the following issues:

Authentication; you will need to acquire some Kerberos distribution for your implementation platform.
Authorization; you will need to put together some database of GatorLink IDs in which your service is interested, and what rights and privileges they have within its' bounds. There is no central maintainance infrastructure for this information, since the services themselves are maintained in many different units.
Your service. This is also up to you. :)

Since your authorization and service are basically your responsibility, We'll only cover one thing in greater detail:

Authentication

There are two free distributions of Kerberos of which we're aware; if you hear of more, or develop some experience with a commercial implementation, let us know.

MIT Kerberos.
This is the "reference" distribution of kerberos; the package was developed by the folks at MIT. The current release, as of this writing, is 5.1
You'll have to aver that you're a US citizen, and agree to some security restrictions, to get the code.
If you prefer a product for which you can purchase organized technical support, then the Cygnus distribution, dubbed KerbNet will be more to your taste.
Cygnus began with the MIT server, and has added functions and clients to the package. They have limited Macintosh and Windows clients, and if you have questions or problems with your own installation, you can call on them for service.
In a manner similar to that for the MIT codebase, you will have to commit to some security restrictions in order to download the KerbNet code.

Once you have successfully compiled the appropriate client infrastructure on your platform of choice, you can add our FORTHCOMING CODE SNIPPETS that distill a somewhat baroque protocol into the simple answer to the simple question, "Is this really user's password?". Please note that checking a password in this way does not make your application or service "kerberized"; far deeper work is neccesary to do that, and it's beyond the scope of this document.

Allen S. Rout, asr@nersp.nerdc.ufl.edu

Last modified on Mon Sep 29 23:23:50 1997 by Allen S. Rout