Secure Global Desktop Administration Guide > Users and authentication > Security considerations of using web server authentication

Security considerations of using web server authentication

Usernames and passwords

Using web server authentication (HTTP authentication) means that the browser has to cache the user's credentials and, in effect, the user's authentication to Secure Global Desktop. To minimize the risk of cached credentials being used by someone else, users:

• must not check the save password box in their browser's authentication dialog. This permanently saves the user's credentials.
• must close their browser after logging out. This clears the user's credentials from the temporary cache. Logging out of Secure Global Desktop does not clear the HTTP authentication details.

Note We recommend you use a secure (HTTPS) web server to protect user's credentials.

Web server authentication and the browser-based webtop

The browser-based webtop uses Secure Global Desktop web services. The ITarantellaExternalAuth web service is the web service that is used to set the identity of a user who has been authenticated by an external means, such as web server authentication. For security, the client (the webtop web application) and Secure Global Desktop server (the ITarantellaExternalAuth web service) have a shared secret, which is the username and password of a trusted user. This is, in effect, another layer of web server authentication.

In a standard installation, the browser-based webtop is pre-configured with the credentials of a single trusted user. See Trusted users and third party authentication for details of how to change these credentials or to add a new trusted user.

Web server authentication and the classic webtop

For the classic webtop, once the web server has authenticated the user, it allows them access to the Secure Global Desktop program ttawlogin.cgi and passes the name of the authenticated user (the web username) to this program. The ttawlogin.cgi program:

• Checks that it is running as the user that owns the web server processes configured on the Secure Global Desktop Login properties in Array Manager. It it isn't, the web username isn't passed on to the Secure Global Desktop server.
• Uses a secret key to generate a token which contains an encrypted form of the web username and a timestamp. The client device presents this token to the Secure Global Desktop server as proof of authentication.

When the Secure Global Desktop server receives the token, it validates it by:

• using the secret key to decrypt the token and extract the web username.
• checking the timestamp on the token. If it's too old (that is it is outside the token validity period configured on the Secure Global Desktop Login properties in Array Manager), the login fails.
• checking its record of tokens to see whether it has seen the token before. If it has, the login fails.

This means the three main areas of risk when using web server authentication with the classic webtop concern:

• the token;
• the secret key; and
• the web server username.

To prevent a token from being intercepted and used while still valid, we recommend you use the Sun Secure Global Desktop Security Pack and HTTPS connections.

The secret key shared by the Secure Global Desktop server and the ttawlogin.cgi program is generated every time the Secure Global Desktop starts. The secret key is only accessible by someone with root permission on the Secure Global Desktop server. However, a new key is not generated for a warm restart (tarantella restart -warm). This behavior can be changed by running the following command:

tarantella config edit --tarantella-config-login-webauth-refreshkeyonwarmrestart 1

The web server username is the name of the user that owns the web server processes. If you are using your own web server, the default user is often nobody or apache. If you are particularly concerned about security, we recommend that you do not use these defaults.

Copyright © 1997-2005 Sun Microsystems, Inc. All rights reserved.