For Autumn Quarter 1997, User Services wishes to have the computers in the Labs doing login authentication. Having the workstations doing login authentication will ensure only authorized C&C account holders are using the computers and will provide a means to determine who was using a computer at a given time if some misbehavior occurs on the network.

There are two flavors of computers which are to be affected. There are Macintosh's and W95 PCs. The Macintosh computers will be using a program which attempts to authenticate using the FTP protocol USER and PASS commands. The W95 computers will be doing Microsoft's Domain Login over TCP/IP. The Microsoft Domain Login uses the SMB protocol. This also means that the Lab Users will need to do a Logout prior to leaving the workstation to avoid having the next user inherit their environment and being logged as the active user for any unsavory activity. Their environment includes thier password and possibly files that they've been working on as well. The logout uses an rdist function to reset the workstation to the standard set of files and forces a new user login.

Principally, this is a User Services project and the AST role is limited to providing servers for the login authentication, and the means to determine who had been authorized to use a workstation at some time in the past. An AIX 4.2 RS6000/250 80MHz computer named bud.cac.washington.edu has been configured to serve the protocol requests. This machine has an internal 2GB SCSI disk and a single front-door ethernet connection.

Bud.cac has two deamons to serve the SMB protocol requests and an inetd program to serve the FTP requests. The SMB daemons are smbd and nmbd which are specially modified versions from the samba 1.9.17alpha product in Tulsa. The FTP program is a specially modified version of the wu-ftp-2.4 product in its own tulsa source tree uw-ftpd-2.4-uw_lab_auth. This software is installed into the /tulsa/bin/uw_lab_auth product tree for installation onto bud.cac. The special modifications to the original source for these products is done to remove functionality other than authentication and to modify the authentication to use the password_ok_krb5(logon,password) function. That function uses our krb5-1.0 product to authenticate against our niven Kerberos server. The Kerberos credentials obtained from the Kerberos server are not provided back to the authenticating workstation or used in any other way once obtained. The samba software has also been modified to log a utmp entry to the /var/adm/wtmp file. The ftp program logs the entry as well, which is typcal for ftp. The wtmpd product is also installed on bud.cac to gather the logon data for archival and consolidation on the Anthony.u server.

Prior to Fall quarter, load testing will be done on the authentication system. The load testing plan hasn't been fleshed out yet, but it is expected that there will be (A) response time testing with massive simultaneous logons, (B) failover testing of the Kerberos server and (C) reloading of the Kerberos database while doing massive simultaneous logons.