Forum OpenACS Q&A: Response to optionally using unix passwords for OpenACS auth

Luke's suggestion is very good. In an older ACS version, admins could not login forever. Very annoying, but hey. With session timeouts, if they leave their desk for 10 minutes or so, they have to log back in. This is really what you want. It is as safe as you can get.

Some other points about ACS4 security. The user password is never stored in the cookie! What is stored there is a token that is used to prove to the system that you knew the password at one time. This token could still be stolen and used on another machine. There are actually two login cookies that could be sent: ad_user_login and ad_user_login_secure. The second is sent when logging in using https. Both are blank if persistent login is not allowed. The session id cookie is called ad_session_id, which is alway sent to everyone on every connection to the server. This cookie is not persistent, so at most this one lives for as long as the browser is open. Setting the session timeout causes the life of this cookie to be more predictable.

If you choose to encrypt the password in the db, the encryption is really an SHA hash. A hash cannot be unencrypted. Along with the hash is stored the 'salt' used to create the hash. What the ACS code does it to combine the user supplied password with the salt and to then hash the combination. Unless the algorithm used to create the hash is identical for /etc/shadow you cannot syncronize the passwords. I doubt that they will be identical, so that isn't going to work.

The reason for using LDAP is not to create syncronization problems, but to eliminate them. LDAP would replace the database lookup of the hash. Each time a user is required to login, from windows, or to ACS, they would provide the username and password. The application would create a query to send to the LDAP server. The response received would determine if the user had the right to access the resource. The LDAP server might have one or more records, but only one username/password. OpenLDAP can also be configured to use /etc/passwd, or /etc/shadow, but if you are going to install LDAP you might as well use it.