« PreviousContinue »
PLUGGABLE ACCOUNT MANAGEMENT
INTERFACE WITH UNIFIED LOGIN AND
LOGOUT AND MULTIPLE USER
1. Field of the Invention
The invention relates generally to methods and systems for managing user access to networked computers, and more particularly, to methods and systems that support the use of 10 user authentication, account, password, and session management services.
2. Background of the Invention
Many computer systems, particularly networked com- 15 puter systems supporting many users, generally employ some form of an account management system to track authorized users of the system, the type of account each user has, including what services or resources are available to the user, each user's password, and the details of each session 2Q the user has on the computer system. One of the critical aspects of account management is the authentication of users attempting to access the computer system.
Conventional networked computer systems typically provide in an account management system one or more mecha- 25 nisms that authenticate the identity of a user attempting to access the system. The authentication services typically rely on data that is uniquely associated with a user to establish the user's identity. Conventional authentication services include various password or key-based protocols such as 30 DES, Kerberos, Diffie-Hellman; biometric systems, such as retina scans, fingerprint scans, and voiceprint analysis; challenge/response systems that require the user to respond to a varying coded prompt with an appropriate response algorithmically dependent on the prompt; and hardware 35 devices such as smart-cards encoded with information particular to the user. One factor authentication systems use a single authentication service to authenticate the user. Multifactor systems combine authentication services, such as a password and a retina scan. 40
Most computer systems support various types of system entry services, such as UNIX® login, ftp, telnet, passwd, rlogin, and the like. These system entry services are generally coupled directly to the authentication service, whether one factor or multi-factor, to authenticate users during the 45 initial connection and authentication process. The authentication service is generally accessed through hard coded rules or linkages in the source code of each of the system entry services. If multiple authentication services are used to increase the security of the computer system, then each 50 system entry service must be coded or otherwise directly linked with each authentication service.
One problem with this approach is that it results in a very specific combination of authentication services, and requires source code modification of the system entry services in 55 order to couple them to the authentication services. Second, as the strength of existing authentication services declines over time, and as new authentication technologies are developed, a hard-coded approach severely limits system administrator's ability to incorporate new authentication 60 services into the authentication system. Third, in this approach the system entry services are not truly independent of the authentication services, but rather effectively integrated with them. The system administrator is unable to easily specify the use of particular authentication services 65 for a given type of system entry service since all system entry services use the same authentication services. The lack
of independence further hampers the adaptability of the computer system, and increases the difficulty of system maintenance. These problems also apply to the other aspects of the account management system, such as the session, password, and account components that separately administer these aspects of the user's interaction with the computer system.
For any computer security system to be successful, it must be easy to use. However, in conventional systems where multiple authentication services are used to authenticate the user, the user must typically remember or provide an authentication token, for each authentication system. Authentication tokens include password, public keys, private keys, smart card personal identification numbers, biometric data such as retinal scans, fingerprints, voiceprint, and the like. This requirement typically makes it difficult for the user to access the system, especially where each authentication service has different requirements for allowable characters, length of key, age restrictions on keys, and other particular parameters. The use of multiple authentication tokens may be particularly difficult for novice users who are not familiar with the underlying system security policies or authentication services.
Another problem with the use of multiple authentication services arises when the user attempts to logout and terminate their session. When a user is authenticated, the user's credentials, including the user's authentication token, are typically stored on the system. Storing the credentials is generally part of the security system of the computer, and allows a system administrator to determine who is currently logged into the computer, which resources are being used, and other account related information. Currently, there is not provided a single logout mechanism that locates and destroys the credentials created by the various authentication services used to authenticate the user. Rather, the user currently must manually destroy the credentials by invoking for each authentication service the appropriate function to remove the credentials created by that authentication service. For example, to destroy credentials created by a Diffie-Hellman authentication service, the user must invoke Keylogout on a UNIX® system which locates the private key of the user and removes it. Similarly, on a UNIX® system with a Kerberos authentication service, the user must invoke kdestroy. Other authentication services have their own particular key removal or destruction process.
Manual destruction of credentials presents several problems. First, it eliminates the transparency of the authentication services to the user. One of the essential ideas in providing a multiple authentication system is that the separate services are transparent to the user, who needs only to initiate their login process for whatever type of connection being made. Requiring the user to then directly interact with the underlying authentication services by invoking multiple different commands removes the transparency, and thus the ease of use of the authentication system as a whole. Second, while the user could modify a UNIX® logout file, or similar file on other systems, that contains a number of processes to execute on logout, this requires that the user have a high degree of familiarity with the particular authentication services, and the configuration of system files and scripts. This high level of training is not applicable to the broad variety of users of such system. Third, modification of logout files to initiate logouts of all authentication services would result in logging out the user from all current sessions, even if the user desires only to logout of one session. This is an undesirable side effect that may frustrate many users, as they would be required to login again to re-establish one of the sessions.
Accordingly, it is desirable to provide a system and method that separates the system entry services from the account management system in such a way that any combination of particular account management services may be specified for use with particular system entry services, such 5 that the use of the account management services is transparent to the system entry services, and the user. In particular, it is desirable to provide a system that allows specific system entry services to be associated with selected authentication services in an easily configurable, flexible 10 manner. It is also desirable to provide a system and method where user is able to employ a single authentication token with any number multiple authentication services to obtain a unified login. It is finally desirable to provide a system to provide unified logout so that the user does not have to 15 manually logout and destroy credentials created during the authentication process.
SUMMARY OF THE INVENTION
The present invention overcomes the foregoing various 2o limitations by providing an application programming interface that mediates between the system entry services and the account management services on a computer, and a facility that stores service associations between each system entry service and selected ones of the account management ser- 25 vices. The application programming interface receives invocations from a given system entry service for a given type of functionality, determines which particular account management services are associated with the invoking system entry service, any restrictions or parameters of such association, 30 and then invokes the appropriate account management service to provide the requested functionality. In a preferred embodiment the service associations are stored in a configuration file, but other types of storage facilities may also be used. The application programming interface is "plug- 35 gable" because any number of different account management services may be accessed by the application programming interface through the service associations. Thus, the application programming interface transparently and dynamically links a particular requested operation of a 40 particular system entry service with the appropriate account management service, or services for providing that operation. The application programming interface is here called a pluggable account management interface.
The configuration file or other facility managing the 45 service associations allows for the establishing associations between a given system entry service and multiple instances of a given account management service type, such as authentication, session, and the like. The ability to provide such multiple associations is called "stacking." Stacking 50 account management services is particularly useful with authentication services, providing multiple authentication services for any given system entry service, without the need to modify the source code of each system entry service to provide such relationships. 55
Stacking of authentication services further supports unified login and logout. Unified login is accomplished through a authentication token mapping process. This process uses a user's primary authentication token for a primary authentication service, such as a password, private key, or other 60 unique data, to encrypt the user's other authentication tokens for other secondary authentication services. The encrypted authentication tokens, along with data indicating which authentication services they are associated with, are stored in an available storage facility, such as a user context, naming 65 service, smart card, or the like. In this manner, the user need only remember or provide a single authentication token to
the computer system, even though multiple authentication services are supported.
The present invention further provides for unified logout in a transparent and easy to use and administer fashion by providing a transparent credential destruction process that handles the identification and removal of a user's credentials during a single logout process. The credential destruction process may be implemented either as an additional service separate from each of the authentication services that create the credentials, or it may be incorporated into each authentication service as appropriate. The pluggable account management interface determines which authentication service, or other service that is selected for providing destruction of credentials. The pluggable account management interfaces invokes of such service to provide a credential destruction process. The credential destruction process determines the user requesting destruction of the credentials, verifies that the user is the actual user for those credentials, locates the credentials as stored by the authentication service, and removes them from the system. In conjunction with the pluggable account management interface, the credential destruction process operates without the user having to manually invoke particular services to destroy the credentials.
With the pluggable account management interface, unified login and logout together provide substantial improvements in the ease of use of otherwise complex computer security systems. This is particularly important as computer systems are increasingly used in organizations with many novice users for whom it is not possible or efficient to provide extensive, detailed training on the underlying commands and use of the computer system's various account management services. Further, the use of the service associations in the configuration file, or other storage facility substantially increases ease of system administration and the flexibility of the computer system.
BRIEF DESCRIPTION OF THE DRAWINGS
FIG. 1 is a block diagram of a computer system including the pluggable account management interface of the present invention.
FIG. 2 is a flowchart of the operation of the pluggable account management interface in response to invocations for services via the configuration file.
FIG. 3 is a dataflow diagram illustrating the process of connecting to the computer system with a unified login.
FIG. 4 is a flowchart of the process of handling multiple authentication services for providing unified login through authentication token mapping.
FIG. 5 is a dataflow diagram illustrating the process of disconnecting from the computer system during a unified logout.
FIG. 6 is a flowchart of a process of handling multiple authentication services for unified logout with multiple credentials.
DETAILED DESCRIPTION OF THE
Referring now to FIG. 1, there is shown one embodiment of a computer system providing a pluggable account management interface with unified login and logout, and multiple authentication services. The system 100 includes a computer 101, having an addressable memory 103, a pro