Authenticate Your Windows Clients Against... Anything

← Back to Stories (view on slashdot.org)

Authenticate Your Windows Clients Against... Anything

Posted by timothy on Sunday April 14, 2002 @01:21AM from the except-the-hair-on-their-chinny-chin-chin dept.

Nathan Yocom writes: "pGina is a GPL'd extension for the authentication portion of Windows 2000/XP. Why replace that portion of the OS? Because we don't like being forced to have a Windows server around just for user authentication. So pGina uses plugins to achieve modularity. This allows for user authentication via ANY number of means, both existing and future. For instance, there is already some work being done on an LDAP plugin, a SMB plugin, an SSH plugin and others (SQL, Kerberos, etc). For those who aren't developers it is easy to install, and for those who are developers, a simple yet powerful plugin SDK makes it easy to develop plugins. (Technically pGina should work in NT 4 as well, but we have NOT tested it)"

37 comments

Min score:

Reason:

Sort:

This would be a useful thing . . . by Anonynnous+Coward · 2002-04-14 01:33 · Score: 1

. . . if you had control of some desktops in your organization, and would like to, say, replace the domain authentication for access to local files with a little something of your own, in case you, uh, needed access to those files later, like, say, uh, after you were terminated?
1. Re:This would be a useful thing . . . by gd23ka · 2002-04-15 20:00 · Score: 1
  
  Access to local files after termination can be gained through using a ntfs filesystem driver such as is found in Linux.
  
  Many Windows shops restrict users from admin rights on their NT boxes. Your own MSGINA DLL is useful to log you on as a *Localhost\Administrator on your machine during the time period _prior_ to your termination.
Even if replacing OS components doesn't . . . by Anonynnous+Coward · 2002-04-14 01:41 · Score: 3, Interesting

. . . violate the EULA, Microsoft is free to modify the software on a running Windows installation. I'm sure that changes to the authentication code would be something Microsoft could easily "fix" with Windows Update, or some other more sneaky, nefarious means (now that they legally can) of "updating" the code on your box.
If I wanted to choose your authentication mechanism, I'd stick with OSS with no back-doors for "maintenance" or "updates."
1. Re:Even if replacing OS components doesn't . . . by maxume · 2002-04-14 03:31 · Score: 2, Interesting
  
  Did you see the quote from MSDN where it talks about microsoft actually providing some of the functionality needed to get this done?
  
  here it is, taken from the info page in the story link:
  
  "... is a replaceable DLL component that is loaded by the Winlogon executable. The GINA implements the authentication policy of the interactive logon model and is expected to perform all identification and authentication user interactions." (MSDN)
  
  So microsoft says it is replacable, probably because they think that it is something that people might want to replace...
  
  The above comment really isn't that interesting, is it?
  
  --
  Nerd rage is the funniest rage.
2. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · 2002-04-14 04:42 · Score: 0
  
  Riiiiight. So, you have read the MSDN and found out how GINAs really work, have you? GINAs are for EXACTLY this purpose - allowing end users to implement their own authentication modules. I know /. is a anti-MS forum, and in many, many cases is justified in being such, but you really lose credibility when you spread FUD.
3. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · 2002-04-14 06:07 · Score: 0
  
  I'm trollfood, but shipping a gina replacement is not that uncommon in the NT world. Lotus Notes does it, Novell client does it, the AS/400 client does it. It's like PAM on unix.
4. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · 2002-04-14 06:24 · Score: 2, Informative
  
  You mean like this? Microsoft overview on GINAs.
  
  There are _many_ companies that have written their own GINAs to provide alternate authentication methods, such as biometric, voice, and hardware tokens.
  
  A quick search only turned up a couple thousand entries.
  
  The only thing even remotely interesting about pGINA is that it allows multiple authentication paths via its plugin architecture, and even that is nothing to get overly excited about since the GINA itself is a plugin to winlogon.exe. I'd be more impressed if it worked with Win9x since I have yet to find a documented means of replacing the logon mechanisms for those operating systems.
  
  It should be noted that there are _very large_ companies that are using hardware tokens and they would be _very_ pissed if Microsoft decided to replace their custom GINAs out of the blue.
5. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · 2002-04-14 07:51 · Score: 0
  
  Took you awhile to go find that, but thank you. I stand corrected. And I'll be paying you back for that Overrated when I get points.
  ~~~
6. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · 2002-04-14 09:12 · Score: 0
  
  It only took me about 3 minutes, if that. You see, I'm not the anonymous coward from above. I just felt that your assertions of the GINA being obscure and without supporting links needed refuting.
  
  In your defense, I noticed that the sample code from Microsoft here and here are no longer available due to the release of .NET. So rather than replace custom GINAs it looks as though they may be preparing to obselete them, either something obscure and undocumented or with Passport (which may or may not well documented). This is just a wild guess though.
Re:Hi by Anonymous Coward · 2002-04-14 01:54 · Score: 0

So, Troll, how is it you were able to reattach your shotgun-shelled face after your wife killed you? It seems you're still suffering from brain death. BTW, you sucked on Newsradio.
You idiot! by Anonymous Coward · 2002-04-14 01:56 · Score: 0

Troll McClure wasn't on NewsRadio! That was David Spade.
Buh-bye
Weight authentication by Anonymous Coward · 2002-04-14 01:58 · Score: 1, Funny

You must weigh at least 300 lbs to operate this machine please consume more food to obtain root at 450 lbs!!!!
1. Re:Weight authentication by Anonymous Coward · 2002-04-14 02:27 · Score: 0
  
  It's probably RMS, the obese goat fucker.
2. Re:Weight authentication by Anthanos · 2002-04-14 03:32 · Score: 1
  
  Thats the great part of pGina ;-) If you can write code that would interface with a scale (say via the USB port) you could do this!
  
  --
  pGina, http://www.xpasystems.com - Making the big boys play nice.
NO, J00R THE IDIOT by Anonymous Coward · 2002-04-14 02:11 · Score: 0

Check your facts before you post, fucktard. Phil Hartman, (the voice of Troy McClure), was also on NewsRadio. Here's the Google cache of NBC's website.

Seeing as how you mentioned the homo, David Spade, I suspect you're some dirty, gay GNU/Linux hippie. Get off your 486 boxen and get tested for AIDS.
Very cool by Webmonger · 2002-04-14 03:02 · Score: 3, Interesting

This looks like very useful software, if it works as advertised. Where I work, we have an entire Win2k server whose only purpose is providing authentication. For us, this could be the missing link.

It seems like an alternative to the Samba TNG project. Where SMBTNG is working to create Open Source Domain Controllers that run under Unix, pGina makes Domain Controllers irrelevent by allowing Win2k to use Open Source *nix authentication methods.

I have to think though, that pGina is probably far simpler to implement than Samba TNG.
1. Re:Very cool by Anthanos · 2002-04-14 03:50 · Score: 1
  
  Exactly right. It has been the missing link for us as well (the CSCE Dept itself, http://www.cs.plu.edu) as we now use it for LDAP authentication. Hope you find it useful, drop me a note if you have any questions!
  
  --
  pGina, http://www.xpasystems.com - Making the big boys play nice.
2. Re:Very cool by dregs · 2002-04-15 01:07 · Score: 1
  
  Its all relative.
  
  I've done a heap of work on nisgina 2000
  (see nisgina.deakin.edu.au)
  
  we use it in our teaching labs (approx 1000 machines)
  and it works fine.
  
  I wouldn't put in onstaff machines though its fairly invasive in the way it works.
  
  Domain controllers are simpler to use, you just need to sync the passwords from your unix hosts, which we have now done.
3. Re:Very cool by Anonymous Coward · 2002-04-15 04:39 · Score: 0
  
  And you have to pay for the domain OS, and the beefy hardware, and of course write synch scripts - or use ad... all a bunch of things some people can't afford, or flat out don't want to do. pGina is obviously about choices, not "what is the right way", cuz with pGina it looks like the right way is whatever way you want! there is no reason people should be expected to have 1 server OS, just because they use the same company's client OS... kudos to the pGina folk
Worst....name....ever! by Otter · 2002-04-14 03:32 · Score: 4, Funny

This is a great project but pGina is an absolutely godawful name. It sounds like the developers were watching the "Mulva" episode of Seinfeld when they came up with the name.
I'm surprised they're from an English-speaking country.

--
What I'm listening to now on Pandora...
1. Re:Worst....name....ever! by Anthanos · 2002-04-14 03:35 · Score: 1
  
  Suggest an alternative?
  
  pGINA = Pluggable Graphical Identification and Authentication
  
  --
  pGina, http://www.xpasystems.com - Making the big boys play nice.
2. Re:Worst....name....ever! by Samus · 2002-04-14 04:44 · Score: 4, Funny
  
  vGINA = Virtual Graphical Identification and Authentication
  
  --
  In Republican America phones tap you.
3. Re:Worst....name....ever! by jo42 · 2002-04-15 08:43 · Score: 1
  
  Certifier of User Network Trust
4. Re:Worst....name....ever! by sharkey · 2002-04-15 10:07 · Score: 2
  
  vGINA = Virtual Graphical Identification and Authentication
  
  Then, you could add the Security Authorized Naming Daemon as a module, resulting in having SAND in your vGINA.
  
  --
  
  --
  "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
Cool tool, but not new by dhopton · 2002-04-14 04:44 · Score: 3, Informative

Windows NT has been able to authenticate a number of servers since day one. Novell is just one of those that it can. How does it do this? Using this interface - as somone else pointed, the replaceable authentication dll etc is documented and is on MSDN.

pGina is cool thanks to it's plugin interface - it seems to make things a lot easyer.

BTW, there is already a virus that gets in, and replaces your MS gina with it's own, so it looks and works like normal but collects passwords.
1. Re:Cool tool, but not new by Anthanos · 2002-04-14 05:23 · Score: 1
  
  not new - just modular. There are replacement GINA's that do different methods of authentication - but they are hardcoded - the plugin architecture of pGina allows for these and other past + new protocols.
  
  --
  pGina, http://www.xpasystems.com - Making the big boys play nice.
Bad, but probably not the worst. by Futurepower(R) · 2002-04-14 06:30 · Score: 1, Interesting

He's right. Why do open source authors pick self-defeating names?

Probably because it takes a lot of effort to think of a really good name.

My recent favorite poorly chosen name is Killustrator. The name created an international incident, and the author was forced to change it.

So, what would be a good name? You could call it Open GINA, but GINA sounds like a woman's name. Gnu GINA? WhoAreYou? OurGINA? FreeGINA? No, people would joke that it was prostitution. Tacoma ID? OpenID?

A good name would make prospective users think of the purpose, rather than of an obscure acronym. So maybe OpenID is good.