Authentication technologies

Generic authentication frameworks


PAM (Pluggable Authentication Modules) is a generic authentication infrastructure for the most common Unix like operating systems (Linux, Solaris, ...). It is used to authenticate accounts locally. There is a huge amount of different modules for various purposes existing.


SASL (Simple Authentication and Security Layer) is a generic authentication infrastructure for client / server connections. There are many plugins existing for various authentication techniques such as password (cleartext, md5 hash), Kerberos5 (using GSSAPI) and others.

Authentication using symmetric key cryptography

Key for encryption and decryption is the same (or easily derived from the other key). Needs a third party to establish a trust relation. In High energy Physics (HEP) Kerberos4 and Kerberos5 are used. Kerberos4 has security flaws and is largely replaced by Kerberos5.


Defined in RFC4120, API defined in RFC4121

Currently implemented in 3 major variants: MIT Kerberos, Heimdal Kerberos, Windows Kerberos

See also the FNAL solution:

Software with Kerberos Support

Usually the software mentioned below does not come with Kerberos support by default, configuration or recompilation is required in most cases.

Other UNIX software is or could be made Kerberos5 aware by using the SASL or GSS API.

Software contributions from the HEP community

Authentication using public key infrastructure

Public key cryptography is an assymetric key method. It uses a pair of keys, called public and private key. The public key is intended for distribution, while the private key needs to be kept secret. Both keys are connected through a mathematical relation, which is highly asymmetric in terms of computational effort to derive one key from the other.

Knowing the public key it should be practically impossible to derive the private key.

In order to verify that a public key is associated with the real issuer, a Public Key Infrastructure (PKI) is installed. In most practical cases within HEP the keys used are so called X.509 Certificates. The verification of these certificates is done trough a hierarchy of trusted third parties, called Certification Authorities (CA).

The various deployed grid solutions (e.g. LCG) all use authentification with certificates

Software that is using Certificates

For other talks on this subject see also "Talks at HEPiX meetings related to Single Sign On" below and

Single Sign On

There is also a report on using SSO at the TFH Wildau (in german) which is using Kerberos on UNIX and a trust relationship with the realm on Windows (tested also at DESY) and a diploma thesis that describes the migration from OpenAFS kaserver authentication to Heimdal Kerberos5

Other topics

One time passwords

Synchronisation of passwords across platforms

DVInfo/Authentication_technologies_in_use_at_HEP (last edited 2008-10-30 11:40:12 by localhost)