Slashdot Mirror

← Back to Stories (view on slashdot.org)

Authenticate Your Windows Clients Against... Anything

Posted by timothy on from the except-the-hair-on-their-chinny-chin-chin dept.

Nathan Yocom writes: "pGina is a GPL'd extension for the authentication portion of Windows 2000/XP. Why replace that portion of the OS? Because we don't like being forced to have a Windows server around just for user authentication. So pGina uses plugins to achieve modularity. This allows for user authentication via ANY number of means, both existing and future. For instance, there is already some work being done on an LDAP plugin, a SMB plugin, an SSH plugin and others (SQL, Kerberos, etc). For those who aren't developers it is easy to install, and for those who are developers, a simple yet powerful plugin SDK makes it easy to develop plugins. (Technically pGina should work in NT 4 as well, but we have NOT tested it)"

8 of 37 comments (clear)

  1. Even if replacing OS components doesn't . . . by Anonynnous+Coward · · Score: 3, Interesting
    . . . violate the EULA, Microsoft is free to modify the software on a running Windows installation. I'm sure that changes to the authentication code would be something Microsoft could easily "fix" with Windows Update, or some other more sneaky, nefarious means (now that they legally can) of "updating" the code on your box.

    If I wanted to choose your authentication mechanism, I'd stick with OSS with no back-doors for "maintenance" or "updates."

    1. Re:Even if replacing OS components doesn't . . . by maxume · · Score: 2, Interesting

      Did you see the quote from MSDN where it talks about microsoft actually providing some of the functionality needed to get this done?

      here it is, taken from the info page in the story link:

      "... is a replaceable DLL component that is loaded by the Winlogon executable. The GINA implements the authentication policy of the interactive logon model and is expected to perform all identification and authentication user interactions." (MSDN)

      So microsoft says it is replacable, probably because they think that it is something that people might want to replace...

      The above comment really isn't that interesting, is it?

      --
      Nerd rage is the funniest rage.
    2. Re:Even if replacing OS components doesn't . . . by Anonymous Coward · · Score: 2, Informative

      You mean like this? Microsoft overview on GINAs.

      There are _many_ companies that have written their own GINAs to provide alternate authentication methods, such as biometric, voice, and hardware tokens.

      A quick search only turned up a couple thousand entries.

      The only thing even remotely interesting about pGINA is that it allows multiple authentication paths via its plugin architecture, and even that is nothing to get overly excited about since the GINA itself is a plugin to winlogon.exe. I'd be more impressed if it worked with Win9x since I have yet to find a documented means of replacing the logon mechanisms for those operating systems.

      It should be noted that there are _very large_ companies that are using hardware tokens and they would be _very_ pissed if Microsoft decided to replace their custom GINAs out of the blue.

  2. Very cool by Webmonger · · Score: 3, Interesting

    This looks like very useful software, if it works as advertised. Where I work, we have an entire Win2k server whose only purpose is providing authentication. For us, this could be the missing link.

    It seems like an alternative to the Samba TNG project. Where SMBTNG is working to create Open Source Domain Controllers that run under Unix, pGina makes Domain Controllers irrelevent by allowing Win2k to use Open Source *nix authentication methods.

    I have to think though, that pGina is probably far simpler to implement than Samba TNG.

  3. Worst....name....ever! by Otter · · Score: 4, Funny
    This is a great project but pGina is an absolutely godawful name. It sounds like the developers were watching the "Mulva" episode of Seinfeld when they came up with the name.

    I'm surprised they're from an English-speaking country.

    --
    What I'm listening to now on Pandora...
    1. Re:Worst....name....ever! by Samus · · Score: 4, Funny

      vGINA = Virtual Graphical Identification and Authentication

      --
      In Republican America phones tap you.
    2. Re:Worst....name....ever! by sharkey · · Score: 2

      vGINA = Virtual Graphical Identification and Authentication

      Then, you could add the Security Authorized Naming Daemon as a module, resulting in having SAND in your vGINA.

      --

      --
      "Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
  4. Cool tool, but not new by dhopton · · Score: 3, Informative

    Windows NT has been able to authenticate a number of servers since day one. Novell is just one of those that it can. How does it do this? Using this interface - as somone else pointed, the replaceable authentication dll etc is documented and is on MSDN.

    pGina is cool thanks to it's plugin interface - it seems to make things a lot easyer.

    BTW, there is already a virus that gets in, and replaces your MS gina with it's own, so it looks and works like normal but collects passwords.