Developers Documentation



301 error for file:

User Tools

Site Tools

Directory Authentication

This document describes how user authentication is handled in the ClearOS directory.

The Problem

Authentication is tricky to manage - not for technical reasons, but for social ones. On one hand, we want to encourage end users to use a different password for every single login that they encounter on the network. That's a lot of passwords to remember for most people and we all know that very few people follow this practice in the real world.

The Approach

The default behavior for the ClearOS directory tries to balance security with pragmatism.

A ClearOS user account is created with a primary password and a public/private key pair. These credentials can be used for:

  • All locally installed software (e.g. Content Filter, Samba)
  • All locally installed software with key support (e.g. OpenVPN, SSH)
  • All cloud-based plugins/extensions with key support

Some ClearOS plugins and extensions extend into the cloud. Though passwords are encrypted during the authentication phase, this still won't protect against key-logging attacks. If someone has their credentials stolen while logging into an integrated cloud-based app (for example, Google Apps), we want to minimize the potential damage. This brings us to the final default behavior:

  • All cloud-based plugins/extensions with only username/password authentication must have a different password.

Password Formats

Not all passwords are created equally! In order to support the different flavors of passwords in the wild, the ClearOS directory saves the primary password in a variety of different formats.

FormatLDAP AttributeDescription
SHAclearSHAPasswordSHA encryption
SHA1clearSHA1PasswordSHA1 encryption
NT PasswordclearMicrosoftNTPasswordMicrosoft NT password encryption
LanMan/LM PasswordclearMicrosoftLanmanPasswordMicrosoft LanMan encryption
content/en_us/dev_architecture_directory_authentication.txt · Last modified: 2015/03/03 11:09 (external edit)