Slashdot Mirror

← Back to Stories (view on slashdot.org)

Authenticate Your Windows Clients Against... Anything

Posted by timothy on from the except-the-hair-on-their-chinny-chin-chin dept.

Nathan Yocom writes: "pGina is a GPL'd extension for the authentication portion of Windows 2000/XP. Why replace that portion of the OS? Because we don't like being forced to have a Windows server around just for user authentication. So pGina uses plugins to achieve modularity. This allows for user authentication via ANY number of means, both existing and future. For instance, there is already some work being done on an LDAP plugin, a SMB plugin, an SSH plugin and others (SQL, Kerberos, etc). For those who aren't developers it is easy to install, and for those who are developers, a simple yet powerful plugin SDK makes it easy to develop plugins. (Technically pGina should work in NT 4 as well, but we have NOT tested it)"

37 comments

  1. Hi by Troll+McClure · · Score: -1

    Im TRoll McClure
    You May REmember me from such first posts as Fist Ps0t and Not just a first poster, but an intellignet comment!

    First post!

    This first post is now the property of the Fox Network.

    --
    This Message and all replies are the Property of the Fox network. © 2002
    1. Re:Hi by Anonymous Coward · · Score: -1, Offtopic

      yeah, I remember you. I think you're a bloody cunt.

      you think you're funny, you schmuck? think again.

    2. Re:Hi by Troll+McClure · · Score: -1

      the fox lawyers would like to compliment Mr Anonymous Coward on his attempt at humour and would like to inform him that Mr McClure is in the process of Filing against him for Defamation. yours the Fox Lawyers (on behalf of Mr McClure)

      --
      This Message and all replies are the Property of the Fox network. © 2002
    3. Re:Hi by Anonymous Coward · · Score: 0

      So, Troll, how is it you were able to reattach your shotgun-shelled face after your wife killed you? It seems you're still suffering from brain death. BTW, you sucked on Newsradio.

    4. Re:Hi by Anonymous Coward · · Score: -1

      I wasn't trying to be funny. Putz.

    5. Re:Hi by Troll+McClure · · Score: -1

      Hi, I didn't suck, you were tuned into the wrong station!
      i rose from the dead as a changed man, i had become a troll

      (you might remember me from such films as "zombies from the dead" and the "boogie woogie vampires")

      --
      This Message and all replies are the Property of the Fox network. © 2002
  2. Give me head! by Anonymous Coward · · Score: -1, Offtopic

    Blow my wee-wee. Right now, Dammit!

  3. This would be a useful thing . . . by Anonynnous+Coward · · Score: 1

    . . . if you had control of some desktops in your organization, and would like to, say, replace the domain authentication for access to local files with a little something of your own, in case you, uh, needed access to those files later, like, say, uh, after you were terminated?

    1. Re:This would be a useful thing . . . by gd23ka · · Score: 1

      Access to local files after termination can be gained through using a ntfs filesystem driver such as is found in Linux.

      Many Windows shops restrict users from admin rights on their NT boxes. Your own MSGINA DLL is useful to log you on as a *Localhost\Administrator on your machine during the time period _prior_ to your termination.

  4. Even if replacing OS components doesn't . . . by Anonynnous+Coward · · Score: 3, Interesting
    . . . violate the EULA, Microsoft is free to modify the software on a running Windows installation. I'm sure that changes to the authentication code would be something Microsoft could easily "fix" with Windows Update, or some other more sneaky, nefarious means (now that they legally can) of "updating" the code on your box.

    If I wanted to choose your authentication mechanism, I'd stick with OSS with no back-doors for "maintenance" or "updates."

    1. Re:Even if replacing OS components doesn't . . . by maxume · · Score: 2, Interesting

      Did you see the quote from MSDN where it talks about microsoft actually providing some of the functionality needed to get this done?

      here it is, taken from the info page in the story link:

      "... is a replaceable DLL component that is loaded by the Winlogon executable. The GINA implements the authentication policy of the interactive logon model and is expected to perform all identification and authentication user interactions." (MSDN)

      So microsoft says it is replacable, probably because they think that it is something that people might want to replace...

      The above comment really isn't that interesting, is it?

      --
      Nerd rage is the funniest rage.
    2. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: -1, Troll
      The above comment really isn't that interesting, is it?

      What is it with these bitter cretins that come out every time someone gets modded up whining that they shouldn' t have been? So you read MSDN because you're a Microsoft slave and found an obscure reference to replaceable DLL's. I'd bet they meant replacable by MS, and not by the end user. But as a toady to MS, I'm sure you'll give them the benefit of the doubt.

      ~~~

    3. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 0

      Riiiiight. So, you have read the MSDN and found out how GINAs really work, have you? GINAs are for EXACTLY this purpose - allowing end users to implement their own authentication modules. I know /. is a anti-MS forum, and in many, many cases is justified in being such, but you really lose credibility when you spread FUD.

    4. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: -1, Troll
      So, you have read the MSDN and found out how GINAs really work, have you? GINAs are for EXACTLY this purpose

      Awfully big talk without a link or citation. Or are you just talking out of your ass?

      ~~~

    5. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 0

      I'm trollfood, but shipping a gina replacement is not that uncommon in the NT world. Lotus Notes does it, Novell client does it, the AS/400 client does it. It's like PAM on unix.

    6. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 2, Informative

      You mean like this? Microsoft overview on GINAs.

      There are _many_ companies that have written their own GINAs to provide alternate authentication methods, such as biometric, voice, and hardware tokens.

      A quick search only turned up a couple thousand entries.

      The only thing even remotely interesting about pGINA is that it allows multiple authentication paths via its plugin architecture, and even that is nothing to get overly excited about since the GINA itself is a plugin to winlogon.exe. I'd be more impressed if it worked with Win9x since I have yet to find a documented means of replacing the logon mechanisms for those operating systems.

      It should be noted that there are _very large_ companies that are using hardware tokens and they would be _very_ pissed if Microsoft decided to replace their custom GINAs out of the blue.

    7. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 0
      Took you awhile to go find that, but thank you. I stand corrected. And I'll be paying you back for that Overrated when I get points.

      ~~~

    8. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 0

      It only took me about 3 minutes, if that. You see, I'm not the anonymous coward from above. I just felt that your assertions of the GINA being obscure and without supporting links needed refuting.

      In your defense, I noticed that the sample code from Microsoft here and here are no longer available due to the release of .NET. So rather than replace custom GINAs it looks as though they may be preparing to obselete them, either something obscure and undocumented or with Passport (which may or may not well documented). This is just a wild guess though.

  5. You idiot! by Anonymous Coward · · Score: 0
    Troll McClure wasn't on NewsRadio! That was David Spade.

    Buh-bye

  6. Weight authentication by Anonymous Coward · · Score: 1, Funny

    You must weigh at least 300 lbs to operate this machine please consume more food to obtain root at 450 lbs!!!!

    1. Re:Weight authentication by Anonymous Coward · · Score: 0

      It's probably RMS, the obese goat fucker.

    2. Re:Weight authentication by Anthanos · · Score: 1

      Thats the great part of pGina ;-) If you can write code that would interface with a scale (say via the USB port) you could do this!

      --
      pGina, http://www.xpasystems.com - Making the big boys play nice.
  7. OSS fanboys, pay attention: by Anonymous Coward · · Score: -1, Troll

    How to Remove Linux and Install Windows on Your Computer (Q247804)

    The information in this article applies to:

    Microsoft Windows 2000 , Advanced Server
    Microsoft Windows 2000 , Datacenter Server
    Microsoft Windows 2000 , Professional
    Microsoft Windows 2000 , Server
    Microsoft Windows NT Server version 4.0
    Microsoft Windows NT Workstation version 4.0

    For a Microsoft Windows XP version of this article, see Q314458 .

    SUMMARY

    This article describes how you can remove the Linux operating system from your computer, and install a Windows operating system. This article also assumes that Linux is already installed on the hard disk using Linux native and Linux swap partitions, which are incompatible with the Windows operating system, and that there is no free space left on the drive.

    Windows and Linux can coexist on the same computer. For additional information, refer to your Linux documentation.

    MORE INFORMATION

    To install Windows on a system that has Linux installed when you want to remove Linux, you must manually delete the partitions used by the Linux operating system. The Windows-compatible partition can be created automatically during the installation of the Windows operating system.

    IMPORTANT : Before you follow the steps in this article, verify that you have a bootable disk or bootable CD-ROM for the Linux operating system, because this process completely removes the Linux operating system installed on your computer. If you intend to restore the Linux operating system at a later date, verify that you also have a good backup of all the information stored on your computer. Also, you must have a full release version of the Windows operating system you want to install.
    Linux file systems use a "superblock" at the beginning of a disk partition to identify the basic size, shape, and condition of the file system.

    The Linux operating system is generally installed on partition type 83 (Linux native) or 82 (Linux swap). The Linux boot manager (LILO) can be configured to start from:

    The hard disk Master Boot Record (MBR).

    The root folder of the Linux partition.

    The Fdisk tool included with Linux can be used to delete the partitions. (There are other utilities that work just as well, such as Fdisk from MS-DOS 5.0 and later, or you can delete the partitions during the installation process.) To remove Linux from your computer and install Windows:

    1. Remove native, swap, and boot partitions used by Linux:

    1. Start your computer with the Linux setup floppy disk, type fdisk at the command prompt, and then press ENTER.

    NOTE : For help using the Fdisk tool, type m at the command prompt, and then press ENTER.

    # Type p at the command prompt, and then press ENTER to display partition information. The first item listed is hard disk 1, partition 1 information, and the second item listed is hard disk 1, partition 2 information.

    # Type d at the command prompt, and then press ENTER. You are then prompted for the partition number you want to delete. Type 1 , and then press ENTER to delete partition number 1. Repeat this step until all the partitions have been deleted.

    # Type w , and then press ENTER to write this information to the partition table. Some error messages may be generated as information is written to the partition table, but they should not be significant at this point because the next step is to restart the computer and then install the new operating system.

    Type q at the command prompt, and then press ENTER to quit the Fdisk tool.

    Insert either a bootable floppy disk or a bootable CD-ROM for the Windows operating system on your computer, and then press CTRL+ALT+DELETE to restart your computer.

    2. Install Windows. Follow the installation instructions for the Windows operating system you want to install on your computer. The installation process assists you with creating the appropriate partitions on your computer.

    Examples of Linux Partition Tables
    Single SCSI drive

    Device Boot Start End Blocks Id System
    /dev/sda1 * 1 500 4016218 83 Linux native (SCSI hard drive 1, partition 1)
    /dev/sda2 501 522 176715 82 Linux swap (SCSI hard drive 1, partition 2)

    Multiple SCSI drives

    Device Boot Start End Blocks Id System
    /dev/sda1 * 1 500 4016218 83 Linux native (SCSI hard drive 1, partition 1)
    /dev/sda2 501 522 176715 82 Linux swap (SCSI hard drive 1, partition 2)
    /dev/sdb1 1 500 4016218 83 Linux native (SCSI hard drive 2, partition 1)

    Single IDE drive

    Device Boot Start End Blocks Id System
    /dev/hda1 * 1 500 4016218 83 Linux native (IDE hard drive 1, partition 1)
    /dev/hda2 501 522 176715 82 Linux swap (IDE hard drive 1, partition 2)

    Multiple IDE drives

    Device Boot Start End Blocks Id System
    /dev/hda1 * 1 500 4016218 83 Linux native (IDE hard drive 1, partition 1)
    /dev/hda2 501 522 176715 82 Linux swap (IDE hard drive 1, partition 2)
    /dev/hdb1 1 500 4016218 83 Linux native (IDE hard drive 2, partition 1)

    Also, Linux recognizes more than forty different partition types, such as:

    * FAT 12 (Type 01)
    * FAT 16 > 32 M Primary (Type 06)
    * FAT 16 Extended (Type 05)
    * FAT 32 w/o LBA Primary (Type 0b)
    * FAT 32 w/LBA Primary (Type 0c)
    * FAT 16 w/LBA (Type 0e)
    * FAT 16 w/LBA Extended (Type 0f)

    Note that there are other ways to remove the Linux operating system and install Windows than the one mentioned above. The preceding method is used in this article because the Linux operating system is already functioning and there is no more room on the hard disk. There are methods of changing partition sizes with software. Microsoft does not support Windows installed on partitions manipulated in this manner.

    Another method of removing an operating system from the hard disk and installing a different operating system is to use an MS-DOS version 5.0 or later boot disk, a Windows 95 Startup disk, or a Windows 98 Startup disk that contains the Fdisk utility. Run the Fdisk utility. If you have multiple drives, there are 5 choices; use option 5 to select the hard disk that has the partition to be deleted. After that, or if you have only one hard disk, choose option 3 ("Delete partition or logical DOS drive"), and then choose option 4 ("Delete non-DOS partition"). You should then see the non-DOS partitions you want to delete. Typically, the Linux operating system has two non-DOS partitions, but there may be more. After you delete one partition, use the same steps to delete any other appropriate non-DOS partitions.

    After the partitions are deleted, you can create partitions and install the operating system you want. You can only create one primary partition and an extended partition with multiple logical drives by using Fdisk from MS-DOS version 5.0 and later, Windows 95, and Windows 98. The maximum FAT16 primary partition size is 2 gigabytes (GB). The largest FAT16 logical drive size is 2 GB. For additional information, click the article number below to view the article in the Microsoft Knowledge Base:
    Q105074 MS-DOS 6.2 Partitioning Questions and Answers If you are installing Windows NT 4.0 or Windows 2000, the Linux partitions can be removed and new partitions created and formatted with the appropriate file system type during the installation process. Windows allows you to create more than one primary partition. The largest partition that Windows NT 4.0 allows you to create during installation is 4 GB because of the limitations of the FAT16 file system during installation. Also, the 4-GB partitions use 64-KB cluster sizes. MS-DOS 6.x and Windows 95 or Windows 98 do not recognize 64-KB cluster file systems, so this file system is usually converted to NTFS during installation. Windows 2000, unlike Windows NT 4.0, recognizes the FAT32 file system. During the installation of Windows 2000, you can create a very large FAT32 drive. The FAT32 drive can be converted to NTFS after the installation has completed if appropriate.

  8. NO, J00R THE IDIOT by Anonymous Coward · · Score: 0

    Check your facts before you post, fucktard. Phil Hartman, (the voice of Troy McClure), was also on NewsRadio. Here's the Google cache of NBC's website.

    Seeing as how you mentioned the homo, David Spade, I suspect you're some dirty, gay GNU/Linux hippie. Get off your 486 boxen and get tested for AIDS.

  9. Very cool by Webmonger · · Score: 3, Interesting

    This looks like very useful software, if it works as advertised. Where I work, we have an entire Win2k server whose only purpose is providing authentication. For us, this could be the missing link.

    It seems like an alternative to the Samba TNG project. Where SMBTNG is working to create Open Source Domain Controllers that run under Unix, pGina makes Domain Controllers irrelevent by allowing Win2k to use Open Source *nix authentication methods.

    I have to think though, that pGina is probably far simpler to implement than Samba TNG.

    1. Re:Very cool by Anthanos · · Score: 1

      Exactly right. It has been the missing link for us as well (the CSCE Dept itself, http://www.cs.plu.edu) as we now use it for LDAP authentication. Hope you find it useful, drop me a note if you have any questions!

      --
      pGina, http://www.xpasystems.com - Making the big boys play nice.
    2. Re:Very cool by MMMMMMMMMMMMMMMMMMMM · · Score: -1

      I want you to answer some questions and I want the answers immediately! Who is your daddy and what does he do?

    3. Re:Very cool by dregs · · Score: 1

      Its all relative.

      I've done a heap of work on nisgina 2000
      (see nisgina.deakin.edu.au)

      we use it in our teaching labs (approx 1000 machines)
      and it works fine.

      I wouldn't put in onstaff machines though its fairly invasive in the way it works.

      Domain controllers are simpler to use, you just need to sync the passwords from your unix hosts, which we have now done.

    4. Re:Very cool by Anonymous Coward · · Score: 0

      And you have to pay for the domain OS, and the beefy hardware, and of course write synch scripts - or use ad... all a bunch of things some people can't afford, or flat out don't want to do. pGina is obviously about choices, not "what is the right way", cuz with pGina it looks like the right way is whatever way you want! there is no reason people should be expected to have 1 server OS, just because they use the same company's client OS... kudos to the pGina folk

  10. Worst....name....ever! by Otter · · Score: 4, Funny
    This is a great project but pGina is an absolutely godawful name. It sounds like the developers were watching the "Mulva" episode of Seinfeld when they came up with the name.

    I'm surprised they're from an English-speaking country.

    --
    What I'm listening to now on Pandora...
    1. Re:Worst....name....ever! by Anthanos · · Score: 1

      Suggest an alternative?

      pGINA = Pluggable Graphical Identification and Authentication

      --
      pGina, http://www.xpasystems.com - Making the big boys play nice.
    2. Re:Worst....name....ever! by Samus · · Score: 4, Funny

      vGINA = Virtual Graphical Identification and Authentication

      --
      In Republican America phones tap you.
    3. Re:Worst....name....ever! by jo42 · · Score: 1

      Certifier of User Network Trust

    4. Re:Worst....name....ever! by sharkey · · Score: 2

      vGINA = Virtual Graphical Identification and Authentication

      Then, you could add the Security Authorized Naming Daemon as a module, resulting in having SAND in your vGINA.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  11. Cool tool, but not new by dhopton · · Score: 3, Informative

    Windows NT has been able to authenticate a number of servers since day one. Novell is just one of those that it can. How does it do this? Using this interface - as somone else pointed, the replaceable authentication dll etc is documented and is on MSDN.

    pGina is cool thanks to it's plugin interface - it seems to make things a lot easyer.

    BTW, there is already a virus that gets in, and replaces your MS gina with it's own, so it looks and works like normal but collects passwords.

    1. Re:Cool tool, but not new by Anthanos · · Score: 1

      not new - just modular. There are replacement GINA's that do different methods of authentication - but they are hardcoded - the plugin architecture of pGina allows for these and other past + new protocols.

      --
      pGina, http://www.xpasystems.com - Making the big boys play nice.
  12. Bad, but probably not the worst. by Futurepower(R) · · Score: 1, Interesting


    He's right. Why do open source authors pick self-defeating names?

    Probably because it takes a lot of effort to think of a really good name.

    My recent favorite poorly chosen name is Killustrator. The name created an international incident, and the author was forced to change it.

    So, what would be a good name? You could call it Open GINA, but GINA sounds like a woman's name. Gnu GINA? WhoAreYou? OurGINA? FreeGINA? No, people would joke that it was prostitution. Tacoma ID? OpenID?

    A good name would make prospective users think of the purpose, rather than of an obscure acronym. So maybe OpenID is good.