% fortune -ae paul murphy

Who's afraid of identity?

Solaris 10 contains two enormously significant new, user accessible, technologies: dTrace and ZFS. Both of these throw out years of accumulated work-arounds to deliver simple, elegant, solutions that fit right into the best Unix design tradition of doing one thing, and doing it extremely well.

Identity management needs a solution like that: something that goes back to the fundamentals, doesn't require trying to cajole a dozen different pieces of mutually antagonistic code to work in lock step, and just gets the job done.

Plan 9 has a solution like that called 'Factotum'. Here's a key explanatory bit from Security in Plan 9 by Russ Cox and others:

The centerpiece of the new architecture is an agent, called factotum, that handles the user's keys and negotiates all security interactions with system services and applications. Like a trusted assistant with a copy of the owner's keys, factotum does all the negotiation for security and authentication. Programs no longer need to be compiled with cryptographic code; instead they communicate with factotum agents that represent distinct entities in the cryptographic exchange, such as a user and server of a secure service. If a security protocol needs to be added, deleted, or modified, only factotum needs to be updated for all systems services to be kept secure.

Building on factotum, we modified secure services in the system to move user authentication code into factotum; made authentication a separable component of the file server protocol; deployed new security protocols; designed a secure file store, called secstore, to protect our keys but make them easy to get when they are needed; designed a new kernel module to support transparent use of Transport Layer Security TLS) [RFC2246]; and began using encryption for all communications within the system.

The implementation is, of course, more than a little tricky. Bell Labs, at the time operated by Lucent, released functioning versions of this but I'm not aware of other releases - although some of the ideas seem to have made their way into the MacOS keychain implementation.

Sun looked at doing it and actually had, I'm told, a working prototype implementation but appears to have rejected the idea for Solaris 10 despite the natural fit with network computing, the Java card, and the hardware level cryptology options coming with Niagara2 and subsequent CMT/SMP technologies.

(Note the name "factotum" gets used in opensolaris discussions apparently on the dmfe device driver for Solaris on x86, but on cursory review I couldn't see the relationship between that and the Plan9 ideas.)

Administratively Factotum is dead simple because there's a single point of control whose goal is to allow multiple systems to trust each other's rights management technology with respect to common users - so you don't need java servers, there are no jarring path mismatches, no data exposure, no duplicated NIS+ files, no library version mismatches, and there's no need to care about the user's OS or patch level.

That insulation from external change is probably the most important attraction from a practical perspective, because it is possible to set up a java blessed (Oui) ) enterprise identity management "solution" - it just doesn't meet the standard test for decent software: i.e. that it will continue to work when left alone. With Factotum you can do that, superficially because it's independent of client change, but ultimately because it's another win for basic Unix design ideas - a simple and elegant implementation that invites and supports generality in its application.


Paul Murphy wrote and published The Unix Guide to Defenestration. Murphy is a 25-year veteran of the I.T. consulting industry, specializing in Unix and Unix-related management issues.