DACS is a light-weight single sign-on and rule-based access control system for web servers and server-based software. DACS makes secure resource sharing and remote access via the web easier, safer, and more efficient. DACS is particularly well suited to providing single sign-on across organizational or departmental web servers, and to limiting access to their web-based resources.
DACS is also an authentication and cryptographic toolkit, providing standard and state-of-the-art functionality.
DACS has continuously evolved since development began in May, 2001 and its first public release in February, 2005. It is designed and implemented by Distributed Systems Software Inc., a small software development house that creates leading-edge, professional quality open source software.
Released under an open source license, DACS gives you:
Get Information: | Overview; What is DACS?; About DACS; Features; Versions; FAQ; Documentation |
Get DACS: | Download DACS |
Get Started: | Tutorial; Tips and Examples |
Get Help: | Technical Support |
DACS works with virtually any authentication method and unifies an assortment of accounts into a single identity. You can leverage the user accounts and authentication methods that you already use, or introduce new ones easily. Out of the box, DACS lets users authenticate using: DACS username/password, X.509 client certificate, self-issued or managed Information Card, one-time password, Unix account, Apache password files, Windows NTLM, ADS/LDAP, CAS, HTTP, PAM, Basic or Digest Auth, special URLs, two-factor authentication, expressions, and more.
Our highest priority is for DACS to remain a secure, stable, and well-documented system.
Once a user has signed on through DACS, he will be recognized throughout a federation of web servers.
While it shares many of the advantages of other single sign-on systems, DACS offers some unique features and is more efficient, and simpler to understand, customize, and administer compared to the heavy-weight, enterprise-level alternatives. If your single sign-on needs are modest, or if you are not even certain what they are, you should look at DACS. DACS does the hardest parts for you - all that you need to do is configuration and "look & feel" customizations.
DSS is pleased to announce the availability of DACS 1.4.52. General download information, links to the latest tarfiles, and details about the latest release are available. It is important to review the Post-Release Notes before building DACS. All sites are encouraged to upgrade to the latest release of DACS and third-party software dependencies.
DACS officially requires Apache 2.4.62, with APR 1.7.5 and APR-util 1.6.3.
The Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release, 2.2.34, was published in July 2017. No further evaluation of security risks will be published for 2.2.x releases. Because of this, DACS 1.4.40 is the final release to officially support and be tested with the Apache 2.2 series.
The latest release of DACS has been built and tested with OpenSSL 3.2.3. All users should upgrade as soon as possible.
OpenSSL 1.1.1 has reached EOL and so will (typically) only be updated with backported security fixes. The OpenSSL Project has declared that the 1.1.1 branch is "out of support and should not be used" and that users of these older versions "are encouraged to upgrade to 3.2 or 3.0 as soon as possible". If you must use OpenSSL 1.1.1, DACS may continue to work with 1.1.1w and newer.
Note: OpenSSL 3.0.0 through 3.0.6 have security-critical issues that are addressed by OpenSSL 3.0.7 and subsequent versions. Note that unlike earlier versions, OpenSSL 3.0 uses the Apache License v2. In January 2020, a revised OpenSSL release strategy was published.
System admins should be aware of all OpenSSL Security Advisories.
Reminder: various attack vectors against Active Directory are known, most recently CVE-2020-1472. See: "Hackers are using a severe Windows bug to backdoor unpatched servers".
Reminder: the SHA1 hash function has been shown to be insecure. Use a stronger cryptographic hash function.
Note that all communication involving DACS-protected resources must be conducted over SSL/TLS connections, including those that send or return HTTP cookies.
Sites using Apache Struts and other services that use the Apache Log4j Java logging library may be vulnerable to serious exploits (CVE-2021-44228) and should take immediate action. Sites using the Apache Tomcat and the Apache JServ Protocol should be aware of the "Ghostcat" vulnerability described in CVE-2020-1938 and the NIST National Vulnerability Database (NVD).
In early 2011, Microsoft announced that it would not support CardSpace (aka, Infocards and Information Cards) starting with Windows 8. CardSpace has been the most widely available identity selector for using Information Cards. The implementation of Infocards support within DACS remains in the code base and is documented, but is no longer being actively tested and maintained (neither are the demos). Support for Information Cards within DACS will likely be removed eventually. You may find that other Infocard and CardSpace related projects have been terminated and their web pages are out of date or deleted. See: On the Demise of CardSpace // Open Cardspace opportunity // Personal Reflections on the CardSpace Journey // From CardSpace to Verified Claims // Change will come: the present is untenable // The Clay Feet of Giants? // RIP, Windows CardSpace. Hello, U-Prove // U-Prove.
A draft of a paper that describes some recent work, Time-Gated Mutual Authentication: System Architecture is occasionally revised.
You can use Google to search this site, including the FAQ and technical documentation.