Approaches and recommendations for multiple OS user authentication techniques
Question
I'm looking for recommendations of how to authenticate user/password combination and verify group association across a number of differing operating systems. Basically I have a C# application that is working in both MS Visual Studio C# and Mono C# and I need to add an authentication mechanism to it to support Windows, Linux, and MacOSX.
For Windows I wrote a quick C# interop to use the Windows only LogonUser APIs. This is working well, but won't work for systems other than Windows. My ultimate goals is to have the same set of code run on all platforms (Windows, Linux, and MacOSX) with as little OS dependent #ifdefing as possible.
One note – I am trying desperately to use the inherent OS user accounts. I prefer not to maintain my own user account store.
Any thoughts or recommendations on approaches, user authentication techniques, etc are welcome.
2 answers
solution1
1 2009-05-26 12:55:38
I'm not sure how authentication works on linux and mac but the first thing that comes to my mind is to implement an IAuthenticator interface and have OS specific authenticator classes. You can then switch over to the appropriate class manually via Dependecy Injection or perhaps dynamically on runtime...but somehow your app should be able to identify what OS it is currently running on.
solution2
0 2009-05-26 16:53:43
Each system handles local authentication differently. As @Darnell mentioned, you probably would need to write an interface for your authentication, and hide the system specific backend.
If you need to have the same user accounts across multiple systems, ldap for user info, and kerberos for authentication is the only fully supported cross platform way to handle it.
Short of "kerberizing" you application, and insisting that it only run in an equivalent environment, there's no universal method of authentication. Also, LDAP is really the only portable way to query for group information.
A simpler (more portable) option might be to use a pre-shared key of some sort. This way the user would authorize only your program, by giving it a key with which to sign the messages. Checking the message against the user's corresponding key would let you know that a) the user exists locally, and b) the message is coming from a source which the user authorized. You still have the problem of no universal group lookup, but you probably need to do that on your own if you can't rely on ldap.
Note: I still have to stress the following
I would strongly recommend not using someone's password in your messaging, ever, even if this requires you to maintain your own user/password database. You would be circumventing the local security paradigm, and opening up the system to more security risks. This is even more important if the system is using kerberos/ActiveDirectory, where great lengths have been taken to make sure the user's password is never being transmitted over the wire. Using DBMS's as an example - most of them do not tie into the local user database (at least by default), and implement their own user authentication mechanisms. Look at how security works in MySQL, or PostgreSQL.
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.