Transcript Remote User Authentication

Remote User Authentication
http://library.smc.edu/rua.htm
Steve Hunt
Systems Librarian
Santa Monica College Library
Remote User Authentication
•
•
•
•
•
What it is
Why you need to do it
How it works on-campus
How to do it off-campus
How to get somebody else to do it for
you
What it really is
• Libraries subscribe to e-resources
• Examples:
– EbscoHost Master File Premier
– Proquest National Newspaper Index
– Gale Literature Resource Center
– Grove Dictionary of Art
– and many, many more
What it really is
• Content providers require access be
limited to our users
• Various means to authenticate
• Authentication is the process in which a
user 's claim to an identity is checked.
Why you need to do it (Top 10)
•
•
•
•
•
Users like it
More access to information
You have already paid for it
Supports Distance Education
Less use of Library facilities and PCs
More reasons
• Boss says so
• All the big schools are doing it
• Good excuse to get that new server or
systems librarian you want
• Keeps pesky students out of the Library
• Alternative to keeping library open 24/7
How it works on-campus:
IP Authentication
• Some remote access solutions use IP
authentication
• Network devices have IP addresses
• IP addresses are assigned to
organizations in blocks
• We provide a list to database vendors
• Vendors check the IP address
SMC IP Address List
•
•
•
•
•
•
•
•
192.92.124.1-254
198.147.67.1-254
204.140.185.1-204.140.187.254
206.117.45.1-206.117.47.254
206.117.124.1-206.117.125.254
207.151.68.1-207.151.69.254
207.151.112.1-207.151.117.254
207.233.32.1-254
How it works on-campus:
IP Authentication
• IP address based authentication is
relatively easy for the vendor and the
customer to set up and administrator
• It does not allow off-campus access
unless you support…
Direct Dial-in
• School maintains modems or telco
equipment
• How remote access used to be provided
• Advantages
– No remote user authentication problems
for the Library or Database vendors (just
for campus MIS)
Direct Dial-in
• Disadvantages
– Expensive (SMC spends $30K/year)
– Doesn’t help users
• With a LAN connection
• With a cable modem or DSL
• For whom campus is a long distance
phone call
– Users don’t want it
SMC Student Survey, Spring 2000
• Almost 90% have a home PC
• 75% have home Internet access
• Only 20% use free SMC dial-up
Conclusion: users can benefit from
remote access
How to do it in-house
•
•
•
•
•
•
•
Referer URL Authentication
How we do it at SMC
Proxy Servers
Rewriting proxies
Authentication protocols
User data sources
What to authenticate against ?
Referer URL Authentication
•
•
•
•
Also called Referring or Referal URL
A controlled-access web page
Registered with the database vendor
Vendor allows access if user selects
database URL from that page
Referer URL Authentication
• Uses the HTTP environment variable
HTTP_REFERER
• Passed by web browser to web server
• Does not use IP authentication
Referer URL Advantages
• Easy to set up
• No additional software
• Authentication is done by the webserver
• No additional hardware
• Relatively simple user training issues
• No client-side setup involved
• No browser version issues
• Just have to train them to login
Referer URL Disadvantages
• Not very flexible
– Can’t bookmark
– Difficult to link from multiple pages
– Multiple database URLs from vendor
• Vendor may not support Referer URLs
• Vendor may not support multiple
Referer URLs
• Doesn’t scale well
Referer URL
• Choose Referer URL Authentication if:
– Small number of resources (<50)
– Little need for linking to resources on other
web pages
– Users or staff are not motivated to handle
proxy configuration issues
– Summary: Referer URL is easy for users
but is not very flexible for the institution
and does not scale well
Referer URLs
• Popular Web Server software
– Apache
– Microsoft IIS
How we do it at
Santa Monica College Library
How we do it at
Santa Monica College Library
SMC Environment
– Databases subscribed to: 22
– Databases that support Referrer URL: 20
– Number of Vendors: 14 (12 remote)
– 13,000 Student FTE but 30,000 head count
• We use Referer URLs
• Database link points to IP-checking
script
How we do it at
Santa Monica College Library
• Login link points to a protected page on a IIS
webserver
• Only authenticated users are allowed access
• Uses both Basic and NTLM authentication
• Users submit NT username and password to
authenticate
• All databases on one page
Proxy Servers
proxy
from Merriam-Webster’s Collegiate Dictionary Online
Pronunciation: 'präk-sE
Inflected Form(s): plural prox·ies
Etymology: Middle English procucie, contraction of
procuracie, from Anglo-French, from Medieval
Latin procuratia, alteration of Latin procuratio
procuration
Date: 15th century
Proxy Servers
Proxy (cont.)
1 : the agency, function, or office of a deputy
who acts as a substitute for another
2 a : authority or power to act for another b :
a document giving such authority;
specifically : a power of attorney authorizing
a specified person to vote corporate stock
3 : a person authorized to act for another :
PROCURATOR
Proxy Servers
• Perform web retrievals on behalf of a web
browser
• Most often used to speed up Internet access
and reduce bandwidth by caching frequently
used pages
• Libraries use proxy servers to make offcampus web clients look like on-campus ones
• Authenticated users allowed to relay requests
through our IP address space
Proxy Servers:
Manual Configuration
Proxy Servers
• Drawbacks of standard browser proxy
configuration
– All traffic goes through proxy server
– User has to manually configure and
unconfigure settings
Proxy Servers
• Proxy Auto Configuration (PAC)
– Written in JavaScript
– Commonly called proxy.pac
– Downloaded by web browser
– Allows using a proxy server for some sites
but going direct for others
– Look on Google for Library examples
Proxy Servers:
Proxy.pac Configuration
A Small proxy.pac File
function FindProxyForURL(url,host)
{
if( shExpMatch( host, "*.umi.com"))
return "PROXY library.smc.edu:3128";
if( shExpMatch( host,"*.gale.com"))
return "PROXY library.smc.edu:3128";
// otherwise…
return "DIRECT";}
Proxy Servers: Advantages
• Can place database links anywhere
• A single URL from the database vendor
• Proxy servers scale better
– 20 resources fit on a single page, 5000 do
not
Proxy Servers: Disadvantages
•
•
•
•
Some browsers don’t support PACs
Problems with multiple proxy servers
Problems with firewalls
Requires users to be motivated and
willing to install web browsers
Proxy Servers: Disadvantages
• Requires extensive support
– Examples
• User may not have permissions to
change settings
• Potentially creates a single point of
failure
Proxy Servers
• Popular Proxy Server software:
– Squid
– Apache mod_proxy
– Microsoft Proxy Server
– Microsoft Internet Acceleration and
Security Server
Proxy Servers: Summary
• Proxy servers are relatively easy and
flexible for the institution, but require a
lot from users
• For most larger libraries they are the
only possible solution
Rewriting proxy
• Dynamically rewrites URLs in HTML
documents
• URLs look like:
– http://library.myschool.edu/proxycgi?”http://some.database.com”
• No browser configuration issues
• No browser support issues
• Examples
– EZProxy
– Apache::RewritingProxy
Authentication protocols
• Basic Authentication
– Supported by almost all web
browsers, web servers and proxy
servers
– Used to protect access to resources
Basic Authentication:
Basic Problem
• Sends usernames and passwords
unencrypted
• Sends them with every page request
Solution: Use SSL
Basic Authentication and SSL
• Secure Socket Layer (SSL)
• SSL works in combination with Basic
Authentication to encrypt pages
• URLs show https:// rather than http://
• Netscape: padlock in the bottom left
hand corner
• Internet Explorer, a yellow lock at the
middle of the status bar
Basic Authentication and SSL
• Supported by:
– Netscape Navigator (versions 2.0 and
above),
– Internet Explorer (version 3.0 and above)
– AOL (AOL 3.0 and above)
Basic Authentication and SSL
• Problems with SSL
– Encryption makes things slower
– Must buy certificates or…
– Can create your own certificates
– Can’t use SSL and Basic authentication to
authenticate to a proxy server
Alternatives to Basic Authentication
• NTLM (Windows NT Lan Manager)
– Also known as NTCR. Now called
Integrated Windows Authentication
– Passwords are encrypted
– Requires NT or Microsoft Networking client
on Win9x as client OS
– Requires IE 3.x or greater browser
– Cannot pass through a proxy server
Alternatives to Basic Authentication
• Digest
– Netscape 4.x still sends password in
clear text with Digest
– Netscape 6 will support digest
authentication
Authentication Protocol Problems
• We want a protocol that is
– Free
– Secure
– Works over the Internet
– Works with any browser
– With any operating system
• There is no such protocol!
Authentication Set-up Examples
•
•
•
•
Microsoft Internet Information Server
Microsoft Proxy Server
Apache web server
Squid proxy server
Authentication Set-up in IIS
Authentication Set-up in IIS
Basic Authentication in MS Proxy
Authentication Set-up in Apache
<Directory "/home/httpd/html/libauth">
AuthName “SMCLAuthentication"
AuthType Basic
PerlSetVar myPDC ROMULUS
PerlSetVar myBDC REMUS
PerlSetVar myDOMAIN STUDENT
PerlAuthenHandler Apache::AuthenSmb
require valid-user
</Directory>
Authentication Set-up in Squid Proxy
Relevant lines from Squid.conf:
acl ourusers proxy_auth REQUIRED
http_access allow ourusers
authenticate_program
/usr/local/squid/bin/msntauth
Authentication Set-up in Squid Proxy
Msntauth.conf:
server newton
server thor
romulus
remus
student
smc
User data sources
• Where is your user data?
– Campus registration system
– Network OS user database
– Library automation system
– E-mail user database
User data sources
• What user data do you want to use?
– Network username and password
– Student ID number
– Library patron barcode number
– Passwords, PINs, SSN, Phone number
User data sources
• Make a list
– What user data do you want to use
– Where is this user data
– What software does this system use
– How will you query the system
– Or will you extract the data
SMC User Data Sources
• SMC Registration System “WebISIS”
• Library Automation System
• Windows NT User Database
SMC User Data Sources
• SMC Registration System “WebISIS”
– Uses Oracle
– Sends student data to NT User Database
– Sends student data to Library System
– Use SQL or Perl-DBI to query
– Is staff data easily available?
– Student NT account names assigned?
SMC User Data Sources
• SMC Library Automation System
– Sirsi Unicorn
– Write shell/Perl script to check User ID and
PIN against user database?
– Students might not know User ID/PIN
– Inconsistent assignment of staff IDs
SMC User Data Sources
• Windows NT User Database
– Info for almost all students and staff
– Can easily query domain controllers
– Well-integrated with MS-IIS webserver
– Also supported by Apache/Squid plug-ins
Authenticate against what?
• Apache and Squid
– Support authentication plug-ins
– Plug-ins available for:
• Windows NT user database
• LDAP, Radius, MySQL, NCSA, NIS, Unix
password files
– Or write your own in Perl, C, etc.
Authenticate against what?
• MS IIS, Proxy Server and ISAS
– Windows NT user database
– Support authentication plug-ins
– Write your own?
How to get somebody else to do it
•
•
•
•
Campus MIS
Library Automation Vendor
Database Vendor
Commercial solutions
How to get somebody else to do it
• Campus MIS
– Campus-wide authentication project?
• Remote access?
• Library needs?
– Ask for anything we have discussed so far
– Tell them This Is Important To The Library
And To The School
How to get somebody else to do it
• Library Automation Vendor
– Some support remote authentication
• EpixTech (Ameritech)
• Innovative Interfaces
– Some systems can be cajoled into
authenticating via scripts
• DRA
• Sirsi
How to get somebody else to do it
• Library Automation Vendor
• Advantages
• For some libraries this is their only user
database
• Integration with other services provided
to users
• Easy user interface (or interface user is
familiar with)
How to get somebody else to do it
• Library Automation Vendor
• Disadvantages
– You are tied to your ILS vendor’s
system
– Your ILS vendor may not support this
– Not all of your database s may be
supported by your vendor
How to get somebody else to do it
• Database Vendor Authentication
– Provide them a list of user IDs
– Patron barcode begins with …
– Institutional username and password
for each product
How to get somebody else to do it
• Database Vendor Authentication:
Advantages
– Easy to implement
• Database Vendor Authentication:
Disadvantages
– Lack of consistency
How to get somebody else to do it
• Use database vendor authentication
methods if
– Small number of products (<5)
– Small number of users (<5000)
– Or no support staff for anything better
How to get somebody else to do it
• Third-party remote access
authentication products and services
– EZProxy
– Obvia
– Efixa
Why is it so hard?
• All the user wants is access to the
database
• All the vendor wants to know is that
this remote user has some connection
with your institution
• All the Library wants is to make the
vendor and the user happy
Why is it so hard?
• Each site has a unique set of local
information systems
– Campus IS,
– Library automation,
– Network OS
– Web servers
– Locally developed means of transferring
data
Why is it so hard?
• No web authentication method that is
– Widely-supported
– Inexpensive
– Secure
Why is it so hard?
• Off-campus users have a wide variety of
– Web browsers
– Operating systems
– Means of accessing the Internet
– Levels of computer expertise
Recommendations
• There is no one right solution
• Research and test any solution
– Find out what other libraries are doing
– Test web browsers and operating systems
– Provide web page support for your users
– Train library staff on support
Remote User Authentication
More resources at
http://library.smc.edu/rpa.htm
This presentation at
http://library.smc.edu/rua.htm