Slashdot Mirror

← Back to Stories (view on slashdot.org)

Synchronizing Forced Password Changes?

Posted by Cliff on from the decentralized-password-maintenance dept.

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

26 of 51 comments (clear)

  1. winbind by dago · · Score: 5, Informative
    winbind may be a possible solution : your unix boxes authenticate to the NT domain

    Winbind is an nss switch module to map Windows NT Domain databases to Unix.

    In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.

    Use of pam modules (pam_smb, pam_ntdom) also works (on pam systems like linux or solaris) very well.

    --
    #include "coucou.h"
  2. not so simple by NotInTheBox · · Score: 2, Insightful

    At the university we sometime need it the other way around... linux password has to be converted to Windows passwords.

    It works like this: the program asks for you password, which it then validates/authenicates
    with the yppasswordd if approved (this means that the string just typed is indeed the one and only true password) it asks a windowsNT box to associate know username to new password.

    Don't know if this could also be done in reverse however. Platform independant accounts would be a great plus. Anyone else having a idear?

    --
    What I cannot create, I do not understand
  3. MS utils for synchronizing with other systems by fluor2 · · Score: 5, Informative

    Microsoft actually made a program that syncs with Novell passwords. (Here). For Unix, use this link for finding more information. Especially this and this.

    1. Re:MS utils for synchronizing with other systems by pete-classic · · Score: 2
      The lab for the UNIX password sync tool includes the following instruction:

      3. Telnet to UNIX machine, and verify that now you have to log on to user2 with the new password.


      The emphasis on "Telnet" is mine.

      I have to say that I am hesitant to use any security product whose instructions include the word "telnet" without preceding it with the words "do not use."

      -Peter
  4. A Quick Dirty Solution by perljon · · Score: 4, Interesting

    Software to automatically do this stuff is kind of expensive. YOu could roll your own package for pretty cheap, if you force everyone to change their password at the same place. For example, it would be easier to force all of your users to go to http://changepassword.yourorg.net to change their password.

    Then, take their new password and set it in each system using perl (I'm sure it either has a library for each system you are talking about or you can drop out to a shell from perl to change passwords via the Unix shell.)

    The hard part about using one system to change all passwords, ie, having all passwords set from you Windows Box or from your Unix shell is that without special software, each system does a pretty good job making sure you don't know what the password is by using several schemes to hide and encrypt it (that's important...). By forcing everyone to change it in one place, you avoid having to buy the propietary libraries which notify a central system of a password change.

    If that sounds too complex, get ahold of me, and I'll be happy to help more for a small fee or some barter.

    --
    This isn't the sig you are looking for... Carry on...
  5. ummm... by quinto2000 · · Score: 2, Flamebait

    Kerberos, among other options. You're describing a very common problem, for which dozens of solutions exist. It seems a waste of an Ask Slashdot question, IMHO.

    --
    Ceci n'est pas un post
  6. Password changing is ignorant by Eagle7 · · Score: 4, Insightful

    I don't know why people harp on about changing your password as a matter of policy. In my experience, this just means that employees will find the simplest system that satisfies the hueristics, and end up with insecure passwords - such as j0e01, 02j0e, j030e, j004e, j0e05, etc - since coming up with f$6hq7# and remembering it every 90 days is a PITA. So your policy makes someone who *would* choose a secure password choose insecure ones becuase they don't want to keep switchng. (or worse, they write them down!!!)

    On the other hand, you could educate employees on the benefits of secure passwords, tell them that as long as the pick a secure password, never share it, and never write it down, they can keep it. Yeah, some people will break the rules - but they'll have insecure passwords under any circumstances. But the folks who actually try will end up more secure.

    After all... as long as I protect its use and don't share it or record it, f$6hq7# is as secure in a year as it was the day I defined it.

    --
    _sig_ is away
    1. Re:Password changing is ignorant by Bazzargh · · Score: 4, Interesting

      Reminds me of one of my old corporate's security faux pas...I rarely used the crappy mainframe system, so quite often when I did my password had expired and I had to call the helpdesk to get it reset...

      Me: I need a password reset
      Drone: Fine, whats your name and secure PIN?
      Me: John Doe, username ******, pin no ****
      Drone: hang on...that doesnt appear to be correct, are you sure thats the PIN?
      Me: Yes, I've been using that PIN for years[1]
      Drone: ok, I'll reset your PIN to ****[2]
      Me: thanks, can you reset my password then?
      Drone: sure...your password is now ******. thanks for calling
      *click*[3]

      [1] herein being the first flaw in the security system. The passwords dont change, but if you can guess the PIN you can get it reset (and its only 4 digits)
      [2] and here's the doozy. I could have been anyone, and now I have got the PIN reset. Internal security tried to get hold of me when I mentioned this incident on a company newsgroup, presumably to sack the person that reset my PIN.
      [3] Mission accomplished, identity stolen. At this point I considered calling back claiming to be our venerable CEO.

    2. Re:Password changing is ignorant by perljon · · Score: 5, Insightful

      Some how, 30 days after you set the password to f$6hq7#, it was compromised. Even though it was a great password, I grabbed the /etc/passwd file and brute forced it, or I sniffed your password when you used telnet instead of ssh, I looked in through a window and a telescope and watched your fingers, I put a keyboard sniffer on your keyboard, I used high-tech equipment to detect the electrical impulses from the key, or I even watched you type it in (after all, it takes a little longer since you are a pecker instead of a typer.) Long story short, I grabbed your password. If you have passwords reset every 90 days, I have only compromised your password for 60 days instead of a year.

      The trick is educating your users on how to create good passwords from pass phrases. ie, I like to buy expensive high tech toys becomes IlTbEhTt Now, do some number replacements for for Capital letters, you make the rules, but make your own. I will replace capital I's with 1's and Capital E's with 3's in this example. 1lTb3hTt What we come up with is an easily remembered password because you know the pass phrase and you know the algoryhtm you used to create the password. (took my last sentence, took the first letter, replaced I's with 1's, E's with 3's, o's with 0's.)

      --
      This isn't the sig you are looking for... Carry on...
    3. Re:Password changing is ignorant by perljon · · Score: 2, Insightful

      Security is like an onion. On the outside layer, everyone who walks into the office can log onto a computer and do whatever he wants using the publicly posted password. This is a trush system, and although very insecure is the cheapest solution. Peel the layer, and you introduce a private username and password that only those on the inside know. Peel a layer, and everyone gets there own username/password. Peel a layer, and everyone gets there own hard to guess/hard to crack password. Peel a layer, and everyone gets a hard to guess/hard to crack changing every 90 days password.

      Also, at each layer you introduce stuff like encryption, good physical security, regular auditing, etc. etc. etc. With each layer, you pay a little more money, at least in administration costs and complexity.

      To my point, is changing your password every 90 days going to fix all security problems? No... However, it is a cheaper solution to implement than it is to crack, so it's a no brainer to implement the policy.

      But I agree, if you don't do good in other arenas, there is little hope. In a secure environment, regular audits are done. Hopefully, backdoors and open telnet ports are found and fixed. Then when the password is changed or the patch is applied that doesn't allow a cracker to use an exploit to gain the passwd file, you've effectively locked out the cracker.

      It's not the end-all be-all security solution, but combined with other security techniques it is affective for a small cost.

      --
      This isn't the sig you are looking for... Carry on...
    4. Re:Password changing is ignorant by 0x0d0a · · Score: 2

      You know, doing "warez" replacements on letters is awfully easy for a piece of software to do.

      If I was writing a password cracker, the first thing I'd have it do is try substituting "3" for "E", etc.

      Yet people always have this smug feeling that "warezifying" their password (where the original is often common English) has just made it unbreakably secure. Oh, or tacking a "1" on the end of it.

      More importantly, if you're working with non-shadowed passwords and can glean *any* passwords from /etc/passwds, there are more serious security issues than some user choosing a weak password.

      --
      May we never see th
    5. Re:Password changing is ignorant by Hektor_Troy · · Score: 2

      one of my favorite passwords (well, passphrase is more like it) is a variant of this one:

      This is a very long password, that is easy to remember and almost impossible to brute force, because it is too long and contains 200 characters, so you can just eat shit stupid fuckhead administrator!

      You could even change it a bit, and make it provokative:

      My password is a very long password, that is easy to remember and almost impossible to brute force, because it is too long and contains 201 characters, so you can just eat shit stupid fuckhead bastard!

      It's always fun to recite that password to anyone who asks :-)

      Okay, so it's not the easiest password to enter, but it's rather effective, and (I would almost bet) it is impossible to bruteforce it with a simple keygen ... hehe

      --
      We do not live in the 21st century. We live in the 20 second century.
  7. related : Lucent's secstore / factotum by DrSkwid · · Score: 3, Informative

    single secure sign-on for multiple domains

    here
    or
    [pdf]

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  8. LDAP, of course. by -dsr- · · Score: 4, Informative

    Just run a central LDAP server. Everything you've mentioned can authenticate from LDAP. For details, just Google for LDAP and the OS name and "password".

  9. Re:related : Lucent's secstore / factotum oops by DrSkwid · · Score: 2

    pdf

    --
    There are places where the networks are not touching,and there are places where they are-Boeing's Lori Gunter
  10. Re:LDAP by velkro · · Score: 2, Informative

    Works good here. Novell's eDirectory has a pwdsyunc module available to sync info/passwords with Active Directory too.

    Linux, Lotus, MS, Nortel products all happy, as well as internal apps too.

  11. its not a stupid ask slashdot question... by spike666 · · Score: 2

    i mean, they got their mod points for getting a post posted right? even if it is one more silly ask slashdot question.

  12. pam/nss_ldap from padl.com by Pointer80 · · Score: 5, Informative

    I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.

    Here's some links to Linux/AD integration from padl.com's doc section:

    Active Directory and Linux

    Linux-AD Integration

    Active Directory and nss_ldap

    /pointer

    --
    [%- PROCESS life -%]
    1. Re:pam/nss_ldap from padl.com by SuiteSisterMary · · Score: 2

      SFU works the opposite way, I think; it'll rexec or something over to your unix boxen and change the passwords. Or, I think, there's a daemon you can run on the UNIX boxen that the NT box'll call up and use that to change the password; safer than rexec.

      --
      Vintage computer games and RPG books available. Email me if you're interested.
  13. Re:Different Solution by mfos.org · · Score: 2

    Hmm, you might not like this, 2 reasons

    1) Not cheap

    2) Pain in the ass for tech support. There are enough steps that must occur in the correct order that often times people will screw them up and have to call your IT support group

  14. How are they accessing the unix/vms servers? by LWolenczak · · Score: 2

    how are they accessing the unix/vms servers?

  15. Don't be so uppity... by darken9999 · · Score: 2, Funny
    The supposed benefit of using Ask Slashdot is to get a wide range of opinions on a matter. Granted that a person may run into some stories of experience in the newsgroups, they won't find nearly as much.

    I'm sure they know of ldap, kerberos, blah, blah, blah... but which should they use? What do their peers think? What have their peers experienced?

    Nothing like Unix geeks. We bitch at all the horrible sys admins (mostly Windows, of course ;^), then we redicule them when they ask for our help.

  16. MS API for this is documented by Krelnik · · Score: 5, Informative
    FWIW, these tools that Microsoft provides (see excellent links in parent message) are actually built on a Windows API that is publicly documented (see "password filter") and they even offer free sample source code.

    So if you have some home-grown system you need to sync with, or you just like to roll your own solutions, you can do it. Essentially there is a DLL you load on the server that gets called every time a password is changed. It can then approve or deny the change, but more importantly since it sees the password it can do the sync. This is how the PASSFILT.DLL is implemented as well as the Novell and Unix solutions mentioned in the parent of this post.

  17. Re:LDAP by AndyDeck · · Score: 2

    velkro said:
    > Works good here. Novell's eDirectory has a pwdsyunc module available to sync info/passwords with Active Directory too.

    Novell has got more than just one product that can fit this bill - DirXML can synchronize passwords (along with IDs, groups, etc) between eDirectory and NT domains or Active Directory with the Password Sync module (all three pieces now come free with Zen for Desktops 4, BTW), Novell Account Management can synchronize to Mainframe and Unix platforms as well as Windows, not to mention the whole single-signon/Secure Login family of products.

    The difference between the various products is partially focus (identity management versus password synch), and partially the choice of authoritative sources (DirXML is VERY flexible).

    --

    The Crystal Wind is the Storm, and the Storm is Data, and the Data is Life
  18. ...other options by aaarrrgggh · · Score: 2

    What I fail to understand is why people need to be forced to change passwords at all: why are all these systems single-layered?

    It only seems logical that smart-cards or java-enabled i-buttons... or whatever could provide improved security when combined with a password. I'm no cryptography expert, but it seems like a password or password hash doesn't have much more than 25 bits of real security.

    Is it just hardware that keeps this from taking off?

    Is there any support for password/smart card authentication systems in Linux?

  19. mod parent to 5 by oliverthered · · Score: 2

    LDAP is the correct solution. everything else is just a nasty hackarround....

    --
    thank God the internet isn't a human right.