Authentication and Auditing Services

Another important (although often invisible) service is authentication. Authentication services take care of assigning a specific identity to an incoming connection. When you type a username and a password, something is using these to authenticate you—to attempt to determine that you are the user that you say you are. Authentication may occur locally to a machine or may use a service across the network. Network services have the advantage of providing a centralized point of administration for multiple machines, and therefore a consistent level of trustworthiness.

A number of different services provide authentication services, sometimes combined with other functions. Under Unix, the most common authentication services are NIS (which also provides various other administrative databases) and Kerberos (which is specialized for nothing but authentication). Windows NT normally uses NTLM (which is integrated with CIFS logon service), while Windows 2000 uses Kerberos by default, falling back to NTLM only for access to older servers. For various reasons, these protocols can be difficult to use across the Internet or for authenticating people who wish to connect over telephone lines, so two protocols have been developed for just this situation, RADIUS and TACACS. Chapter 21, provides additional information.