DACS DACS - The Distributed Access Control System


DACS: The Distributed Access Control System

DACS is a light-weight single sign-on and rule-based access control system for web servers and server-based software. DACS makes secure resource sharing and remote access via the web easier, safer, and more efficient. DACS is particularly well suited to providing single sign-on across organizational or departmental web servers, and to limiting access to their web-based resources.

DACS is also an authentication and cryptographic toolkit, providing standard and state-of-the-art functionality.

Released under an open source license, DACS gives you:

Get Information: Overview; What is DACS?; About DACS; Features; Versions; FAQ; Documentation
Get DACS: Download DACS
Get Started: Tutorial; Tips and Examples
Get Help: Technical Support

DACS = Authentication + Authorization

DACS works with virtually any authentication method and unifies an assortment of accounts into a single identity. You can leverage the user accounts and authentication methods that you already use, or introduce new ones easily. Out of the box, DACS lets users authenticate using: DACS username/password, X.509 client certificate, self-issued or managed Information Card, one-time password, Unix account, Apache password files, Windows NTLM, ADS/LDAP, CAS, HTTP, PAM, Basic or Digest Auth, special URLs, two-factor authentication, expressions, and more.

Our highest priority is for DACS to remain a secure, stable, and well-documented system.

Light-weight single sign-on

Once a user has signed on through DACS, he will be recognized throughout a federation of web servers.

While it shares many of the advantages of other single sign-on systems, DACS offers some unique features and is more efficient, and simpler to understand, customize, and administer compared to the heavy-weight, enterprise-level alternatives. If your single sign-on needs are modest, or if you are not even certain what they are, you should look at DACS. DACS does the hardest parts for you - all that you need to do is configuration and "look & feel" customizations.

Latest News

DSS is pleased to announce the release of DACS 1.4.37. General download information, links to the latest tarfiles, and details about the latest release are provided. It is important to review the Post-Release Notes before building DACS. All sites are encouraged to upgrade.

The latest release of OpenSSL (1.1.0) reorganizes code and changes APIs, which prevents a successful DACS 1.4.37 build:

OpenSSL 1.1.0 hides a number of structures that were previously open. This includes all internal libssl structures and a number of EVP types. Accessor functions have been added to allow controlled access to the structures' data.

This means that some software needs to be rewritten to adapt to the new ways of doing things. This often amounts to allocating an instance of a structure explicitly where you could previously allocate them on the stack as automatic variables, and using the provided accessor functions where you would previously access a structure's field directly.

Some APIs have changed as well. However, older APIs have been preserved when possible.

We have been unable to build OpenLDAP 2.4.44 with OpenSSL 1.1.0. DACS 1.4.38 will be available as soon as these build issues have been resolved.

On 22-Sep-2016 OpenSSL 1.0.2i and 1.1.0a were released to address several security defects. This was quickly followed by the release of OpenSSL 1.0.2j and 1.1.0b to correct issues with the previous security update.

Attacks have recently been announced that can cause URLs carrying identity or authorization components to be insecure, even with HTTPS is used. DACS does not ordinarily convey credentials in a URL. A new attack, SWEET32, has been reported against 64-bit ciphers 3DES and Blowfish when used by HTTPS.

OpenSSL 1.0.1t and 1.0.2h address important security defects. OpenSSL versions 1.0.1s and 1.0.2g also address important security defects, notably the DROWN vulnerability. DACS sites should read the security advisory carefully. In January, 2016, OpenSSL 1.0.2f was released to address other important defects [advisories, additional info]. Support for OpenSSL 1.0.0 and 0.9.8 releases ended on 31-Dec-2015 and no security updates for those releases will be provided. The latest stable version is the 1.0.2 series of releases, with support provided until 31-Dec-2019. The 1.0.1 version is currently only receiving security bug fixes and all support will be discontinued for this version on 31-Dec-2016.

Serious vulnerabilities associated with extensions to commonly-used browsers have been announced: Chrome Extension Caught Hijacking Users' Browsers, NoScript and other popular Firefox add-ons open millions to new attack.

A significant security flaw in the GNU C library's (Glibc) getaddrinfo() function has been identified [link1, link2]. The bug is unlikely to be leveraged within DACS but may affect Linux servers and web frameworks.

A draft of a paper that describes some recent work, Time-Gated Mutual Authentication: System Architecture is now available.


Since DACS and other web-based systems may use HTTP cookies for a variety of purposes, administrators should review CERT Vulnerability Note VU#804060 (24-Sep-2015). When deployed as recommended, all communication involving DACS-protected resources must be conducted over SSL/TLS connections, including those that send or return HTTP cookies.

Several alerts regarding OpenSSL were published last year: 19-Mar-2015, 11-Jun-2015, 9-Jul-2015. Also see SSL Server Test and SSL Cipher Suite Details of Your Browser.


In early 2011, Microsoft announced that it would not support CardSpace (aka, Infocards and Information Cards) starting with Windows 8. CardSpace has been the most widely available identity selector for using Information Cards. The implementation of Infocards support within DACS remains in the code base and is documented, but is no longer being actively tested and maintained (neither are the demos). Support for Information Cards within DACS will likely be removed eventually. You may find that other Infocard and CardSpace related projects have been terminated and their web pages are out of date or no longer available. See: On the Demise of CardSpace // Open Cardspace opportunity // Personal Reflections on the CardSpace Journey // From CardSpace to Verified Claims // Change will come: the present is untenable // The Clay Feet of Giants? // RIP, Windows CardSpace. Hello, U-Prove // U-Prove.

Site Search

You can use Google to search this site, including the FAQ and technical documentation.

Google
This page last modified 26-Sep-2016 09:21 PDT
© Copyright 2001-2016 DSS Distributed Systems Software Inc. All rights reserved.
Victoria, British Columbia, Canada
dacs@dss.ca