Understanding the web server authentication process will help administrators assess the risks involved in using this method of authenticating users and help them decide what additional security measures to take.
The Tarantella program ttawlogin.cgi carries out all
the web server authentication processing. When this program authenticates a user
it creates a token using a secret key. The token contains the web server username and
the time the user was authenticated.
When the Tarantella server receives the token, it validates the token and accepts it as proof of authentication. Tarantella keeps a record of all validated tokens. If the validation fails for any reason, the standard Tarantella login page displays and the user has to log in to Tarantella before they can access their webtop.
This processing means there are three main areas of risk when using web server authentication:
All of these risks are considerably reduced if you use the Tarantella Security Pack and https connections.
The secret key is the most important element in web server authentication. Anybody with access to the secret key can masquerade as an authenticated user and can access Tarantella as any user. The secret key is only accessible by someone with root permissions.
It is advisable to regularly create a new secret key.
Tarantella automatically generates a new secret key every time it is started, including a restart
(tarantella start or tarantella restart). However, this does not happen when a Tarantella server has warm restart (tarantella restart -warm). This behavior can be changed (and if you are particularly concerned with security, we recommend that you do change it) by running the following command:
tarantella config edit --tarantella-config-login-webauth-refreshkeyonwarmrestart 1
The web server username is the name of the user that runs the ttawlogin.cgi
program. The default is nobody. If you are particularly concerned about security,
we recommend that you do not use this default
username as there are many processes that use this user and any of them could run
ttawlogin.cgi and have unauthenticated access to a Tarantella server.
It is more secure to have a user that is used to run the web server and nothing else.
An authentication token is only valid for a single login and has a short validity period (the default is three minutes). We recommend you use secure (https) web servers to ensure a token can't be intercepted and used by a third party while still valid.
To ensure a token cannot be re-used, Tarantella keeps a record of tokens it has validated. Every time Tarantella receives a new token, it checks to see if has a record of the token. If it finds a match and the stored time value is equal to or newer than the value contained in the current token, the login fails.
Whenever a client loses its connection to the Tarantella server (for example because of a network failure or because the server was restarted), users will have to log in again. This is because their browser re-submits their original token, which will have expired.