DACS is a light-weight single sign-on and rule-based access control system for web servers and server-based software. DACS makes secure resource sharing and remote access via the web easier, safer, and more efficient. DACS is particularly well suited to providing single sign-on across organizational or departmental web servers, and to limiting access to their web-based resources.
DACS is also an authentication and cryptographic toolkit, providing standard and state-of-the-art functionality.
Released under an open source license, DACS gives you:
|Get Information:||Overview; What is DACS?; About DACS; Features; Versions; FAQ; Documentation|
|Get DACS:||Download DACS|
|Get Started:||Tutorial; Tips and Examples|
|Get Help:||Technical Support|
DACS works with virtually any authentication method and unifies an assortment of accounts into a single identity. You can leverage the user accounts and authentication methods that you already use, or introduce new ones easily. Out of the box, DACS lets users authenticate using: DACS username/password, X.509 client certificate, self-issued or managed Information Card, one-time password, Unix account, Apache password files, Windows NTLM, ADS/LDAP, CAS, HTTP, PAM, Basic or Digest Auth, special URLs, two-factor authentication, expressions, and more.
Our highest priority is for DACS to remain a secure, stable, and well-documented system.
Once a user has signed on through DACS, he will be recognized throughout a federation of web servers.
While it shares many of the advantages of other single sign-on systems, DACS offers some unique features and is more efficient, and simpler to understand, customize, and administer compared to the heavy-weight, enterprise-level alternatives. If your single sign-on needs are modest, or if you are not even certain what they are, you should look at DACS. DACS does the hardest parts for you - all that you need to do is configuration and "look & feel" customizations.
DSS is pleased to announce the availability of DACS 1.4.49. General download information, links to the latest tarfiles, and details about the latest release are available. It is important to review the Post-Release Notes before building DACS. All sites are encouraged to upgrade to the latest release of DACS and third-party software dependencies.
DACS officially requires Apache 2.4.55, with APR 1.7.0 and APR-util 1.6.1.
After the release of DACS 1.4.49, Apache 2.4.57 (with apr-1.7.3 and apr-util-1.6.3) became available. Initial testing with DACS 1.4.49 and OpenSSL 1.1.1t has been successful. Testing with OpenSSL 1.1.1u and APR 1.7.4, which were recently released, is underway.
Sites using Apache Struts and other services that use the Apache Log4j Java logging library may be vulnerable to serious exploits (CVE-2021-44228) and should take immediate action.
Sites using the Apache Tomcat and the Apache JServ Protocol should be aware of the "Ghostcat" vulnerability described in CVE-2020-1938 and the NIST National Vulnerability Database (NVD).
The Apache HTTP Server Project has discontinued all development and patch review of the 2.2.x series of releases. The final release, 2.2.34, was published in July 2017. No further evaluation of security risks will be published for 2.2.x releases. Because of this, DACS 1.4.40 is the final release to officially support and be tested with the Apache 2.2 series.
The latest release of DACS has been built and tested with OpenSSL 1.1.1t. All users should upgrade to OpenSSL 1.1.1t as soon as possible.
OpenSSL 1.1.1r was released and quickly withdrawn. OpenSSL versions 1.1.1k and below are affected by two security advisories (CVE-2021-3711 and CVE-2021-3712).
DACS does not support OpenSSL 3.0, the newest branch, because of significant API changes in OpenSSL 3.0, but work is in progress. Note: OpenSSL 3.0.0 through 3.0.6 have security-critical issues that are addressed by OpenSSL 3.0.7 and subsequent versions. Once OpenSSL 3.0 is sufficiently stable and all third-party packages adopt it, we plan to support it. Note that unlike earlier versions, OpenSSL 3.0 uses the Apache License v2. In January 2020, a revised OpenSSL release strategy was published.
A low severity security advisory (CVE-2020-1968, "Raccoon Attack"), announced 9-Sep-2020, applies to some versions/configurations of OpenSSL 1.0.2. DACS now uses OpenSSL 1.1.1, which is not vulnerable to this issue, but there may be older DACS deployments that still use OpenSSL 1.0.2. High severity Security Advisory CVE-2020-1967 ("Segmentation fault in SSL_check_chain") was announced on 21-Apr-2020. This issue, which applies to OpenSSL 1.1.1[def], may cause an application to crash, which could be leveraged into a denial of service attack. To resolve the issue, upgrade to 1.1.1g.
DACS 1.4.42 transitioned from OpenSSL 1.0.2 to the OpenSSL 1.1.1 series, which is the latest stable version of OpenSSL and is supported until 11-Sep-2023. OpenSSL 1.0.2 and 1.1.0 are currently receiving security fixes only and will be discontinued 11-Sep-2019 and 31-Dec-2019, respectively; their users have been encouraged to upgrade to the 1.1.1 branch as soon as possible. Support for OpenSSL 0.9.8, 1.0.0, and 1.0.1 have been officially discontinued and those versions should not be used.
System admins should be aware of the following OpenSSL Security Advisories that are not directly related to DACS but may affect its platforms: CVE-2019-1551, CVE-2017-3737, CVE-2017-3736, CVE-2017-9798, and CVE-2017-1000364 (and related security vulnerabilities).
Reminder: various attack vectors against Active Directory are known, most recently CVE-2020-1472. See: "Hackers are using a severe Windows bug to backdoor unpatched servers".
Reminder: the SHA1 hash function has been shown to be insecure. Use a stronger cryptographic hash function.
CVE-2017-7494, a Samba security vulnerability, should not affect DACS. DACS can use Samba for optional authentication functionality but never in a server capacity. On 7-Dec-2017, users of OpenSSL 1.0.2 were advised to upgrade to 1.0.2n. OpenSSL versions 1.0.2m, 1.0.2k, and 1.1.0d address earlier security defects (CVE-2017-373[0-6]).
Since DACS and other web-based systems may use HTTP cookies for a variety of purposes, administrators should review CERT Vulnerability Note VU#804060 (24-Sep-2015). When deployed as recommended, all communication involving DACS-protected resources must be conducted over SSL/TLS connections, including those that send or return HTTP cookies.
In early 2011, Microsoft announced that it would not support CardSpace (aka, Infocards and Information Cards) starting with Windows 8. CardSpace has been the most widely available identity selector for using Information Cards. The implementation of Infocards support within DACS remains in the code base and is documented, but is no longer being actively tested and maintained (neither are the demos). Support for Information Cards within DACS will likely be removed eventually. You may find that other Infocard and CardSpace related projects have been terminated and their web pages are out of date or deleted. See: On the Demise of CardSpace // Open Cardspace opportunity // Personal Reflections on the CardSpace Journey // From CardSpace to Verified Claims // Change will come: the present is untenable // The Clay Feet of Giants? // RIP, Windows CardSpace. Hello, U-Prove // U-Prove.
A draft of a paper that describes some recent work, Time-Gated Mutual Authentication: System Architecture is occasionally revised.
You can use Google to search this site, including the FAQ and technical documentation.