DACS DACS - The Distributed Access Control System


DACS: The Distributed Access Control System

DACS is a light-weight single sign-on and rule-based access control system for web servers and server-based software. DACS makes secure resource sharing and remote access via the web easier, safer, and more efficient. DACS is particularly well suited to providing single sign-on across organizational or departmental web servers, and to limiting access to their web-based resources.

DACS is also an authentication and cryptographic toolkit, providing standard and state-of-the-art functionality.

Released under an open source license, DACS gives you:

Get Information: Overview; What is DACS?; About DACS; Features; Versions; FAQ; Documentation
Get DACS: Download DACS
Get Started: Tutorial; Tips and Examples
Get Help: Technical Support

DACS = Authentication + Authorization

DACS works with virtually any authentication method and unifies an assortment of accounts into a single identity. You can leverage the user accounts and authentication methods that you already use, or introduce new ones easily. Out of the box, DACS lets users authenticate using: DACS username/password, X.509 client certificate, self-issued or managed Information Card, one-time password, Unix account, Apache password files, Windows NTLM, ADS/LDAP, CAS, HTTP, PAM, Basic or Digest Auth, special URLs, two-factor authentication, expressions, and more.

Our highest priority is for DACS to remain a secure, stable, and well-documented system.

Light-weight single sign-on

Once a user has signed on through DACS, he will be recognized throughout a federation of web servers.

While it shares many of the advantages of other single sign-on systems, DACS offers some unique features and is more efficient, and simpler to understand, customize, and administer compared to the heavy-weight, enterprise-level alternatives. If your single sign-on needs are modest, or if you are not even certain what they are, you should look at DACS. DACS does the hardest parts for you - all that you need to do is configuration and "look & feel" customizations.

Latest News

DSS is pleased to announce the availability of DACS 1.4.50. General download information, links to the latest tarfiles, and details about the latest release are available. It is important to review the Post-Release Notes before building DACS. All sites are encouraged to upgrade to the latest release of DACS and third-party software dependencies.

Apache News

DACS officially requires Apache 2.4.57, with APR 1.7.4 and APR-util 1.6.3. Apache 2.4.58 recently became available and contains important security fixes. While it has not yet been fully tested with the latest DACS, they do appear to work correctly.

Sites using Apache Struts and other services that use the Apache Log4j Java logging library may be vulnerable to serious exploits (CVE-2021-44228) and should take immediate action. Sites using the Apache Tomcat and the Apache JServ Protocol should be aware of the "Ghostcat" vulnerability described in CVE-2020-1938 and the NIST National Vulnerability Database (NVD).

The Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release, 2.2.34, was published in July 2017. No further evaluation of security risks will be published for 2.2.x releases. Because of this, DACS 1.4.40 is the final release to officially support and be tested with the Apache 2.2 series.

OpenSSL News

The latest release of DACS has been built and tested with OpenSSL 1.1.1u. All users should upgrade to OpenSSL 1.1.1u as soon as possible.

OpenSSL 1.1.1v and OpenSSL 1.1.1w have recently become available. DACS should work with them, but only limited testing has been conducted so far.

OpenSSL 1.1.1 has reached EOL and so will (typically) only be updated with backported security fixes. DACS is currently being modified to work with both the 1.1.1 and 3.1 branches of OpenSSL.

DACS 1.4.50 is the first release to incorporate support for the OpenSSL 3.1 branch. Because OpenSSL 3.1 code and documentation are relatively new, as is the DACS support, sites are strongly encouraged to continue with the OpenSSL 1.1.1 branch for production use. Note: OpenSSL 3.0.0 through 3.0.6 have security-critical issues that are addressed by OpenSSL 3.0.7 and subsequent versions. Note that unlike earlier versions, OpenSSL 3.0 uses the Apache License v2. In January 2020, a revised OpenSSL release strategy was published.

OpenSSL 1.1.1r was released and quickly withdrawn. OpenSSL versions 1.1.1k and below are affected by two security advisories (CVE-2021-3711 and CVE-2021-3712).

A low severity security advisory (CVE-2020-1968, "Raccoon Attack"), announced 9-Sep-2020, applies to some versions/configurations of OpenSSL 1.0.2. DACS now uses OpenSSL 1.1.1, which is not vulnerable to this issue, but there may be older DACS deployments that still use OpenSSL 1.0.2. High severity Security Advisory CVE-2020-1967 ("Segmentation fault in SSL_check_chain") was announced on 21-Apr-2020. This issue, which applies to OpenSSL 1.1.1[def], may cause an application to crash, which could be leveraged into a denial of service attack. To resolve the issue, upgrade to 1.1.1g.

DACS 1.4.42 transitioned from OpenSSL 1.0.2 to the OpenSSL 1.1.1 series, which is the latest stable version of OpenSSL and is supported until 11-Sep-2023. OpenSSL 1.0.2 and 1.1.0 are currently receiving security fixes only and will be discontinued 11-Sep-2019 and 31-Dec-2019, respectively; their users have been encouraged to upgrade to the 1.1.1 branch as soon as possible. Support for OpenSSL 0.9.8, 1.0.0, and 1.0.1 have been officially discontinued and those versions should not be used.

System admins should be aware of all OpenSSL Security Advisories.

Other Security News

Reminder: various attack vectors against Active Directory are known, most recently CVE-2020-1472. See: "Hackers are using a severe Windows bug to backdoor unpatched servers".

Reminder: the SHA1 hash function has been shown to be insecure. Use a stronger cryptographic hash function.

Note that all communication involving DACS-protected resources must be conducted over SSL/TLS connections, including those that send or return HTTP cookies.

In early 2011, Microsoft announced that it would not support CardSpace (aka, Infocards and Information Cards) starting with Windows 8. CardSpace has been the most widely available identity selector for using Information Cards. The implementation of Infocards support within DACS remains in the code base and is documented, but is no longer being actively tested and maintained (neither are the demos). Support for Information Cards within DACS will likely be removed eventually. You may find that other Infocard and CardSpace related projects have been terminated and their web pages are out of date or deleted. See: On the Demise of CardSpace // Open Cardspace opportunity // Personal Reflections on the CardSpace Journey // From CardSpace to Verified Claims // Change will come: the present is untenable // The Clay Feet of Giants? // RIP, Windows CardSpace. Hello, U-Prove // U-Prove.

Other News

A draft of a paper that describes some recent work, Time-Gated Mutual Authentication: System Architecture is occasionally revised.

Site Search

You can use Google to search this site, including the FAQ and technical documentation.

Google
This page last modified 19-Jan-2024 10:34 PST
© Copyright 2001-2024 DSS Distributed Systems Software Inc. All rights reserved.
British Columbia, Canada
dacs@dss.ca