Dismiss
InnovationQ will be updated on Sunday, Oct. 22, from 10am ET - noon. You may experience brief service interruptions during that time.
Browse Prior Art Database

Extensible User Authentication in a Computer Operating System

IP.com Disclosure Number: IPCOM000107440D
Original Publication Date: 1992-Feb-01
Included in the Prior Art Database: 2005-Mar-21
Document File: 3 page(s) / 144K

Publishing Venue

IBM

Related People

Camillone, N: AUTHOR [+4]

Abstract

Disclosed is a design for extensible user authentication in a computer operating system. This design allows for greater flexibility in the administration of user authentication and enables system administrators to control the authentication policy on their systems.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 44% of the total text.

Extensible User Authentication in a Computer Operating System

       Disclosed is a design for extensible user authentication
in a computer operating system.  This design allows for greater
flexibility in the administration of user authentication and enables
system administrators to control the authentication policy on their
systems.

      User authentication is the keystone of operating system
security.  User credentials and environment are established on the
basis of authentication, and these, in turn, determine the access
rights and accountability of the user on the system.  User
authentication occurs when the user begins a new session on the
system.  This may be during normal interactive log-in, or it may be
transaction oriented, as when the user transfers a remote file or
executes a remote command.  User authentication is always done on the
basis of something the user has (e.g., a key or a badge), something
the user knows (e.g., a password) or something the user is (e.g., a
retina scan).

      The present UNIX* operating system includes a fairly basic user
authentication scheme based on passwords.  Each user is assigned (or
selects) a password.  When the user logs into the system, the
password is given in order to verify the user's identity.  Each
program that does authentication (e.g., login, su, ftpd, rlogind,
telnetd) does its own authentication - that is, the program prompts
for the user's password and reads the password from the user database
and compares the two to verify the user's identity.

      This scheme is very rigid and limits authentication to short
(eight character) passwords.  Other methods of authentication can
only be integrated into the system by replacing all programs which do
authentication.  Even this drastic a step would be inadequate, since
new programs would still assume that passwords were the mechanism for
user authentication.  This scheme is also limited in that it only
deals with the establishment of local credentials and authentication
information.  With the extension of UNIX into distributed systems,
the user may have several sets of network credentials and
authenticators which must be managed correctly in order to insure the
underlying security of the system.  Present UNIX systems require the
user to do this more or less manually.  In systems that provide for
automatic management of network credentials, this information is kept
in the user's home directory, which is a notable security flaw.

      The AIX** operating system has been extended to provide a
configurable user authentication subsystem.  In addition to enabling
alternate authentication methods, this system provides for more
advanced features including integrated network authentication and
n-person account control.

      In keeping with the object-oriented nature of AIX system
administration, authentication is done by defined methods upon
defined objects.  Authentication objects contain authenticatio...