Synchronizing Forced Password Changes?

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

winbind

[dago]

winbind may be a possible solution : your unix boxes authenticate to the NT domain

Winbind is an nss switch module to map Windows NT Domain databases to Unix.

In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.

Use of pam modules (pam_smb, pam_ntdom) also works (on pam systems like linux or solaris) very well.

MS utils for synchronizing with other systems

[fluor2]

Microsoft actually made a program that syncs with Novell passwords. (Here). For Unix, use this link for finding more information. Especially this and this.

A Quick Dirty Solution

[perljon]

Software to automatically do this stuff is kind of expensive. YOu could roll your own package for pretty cheap, if you force everyone to change their password at the same place. For example, it would be easier to force all of your users to go to http://changepassword.yourorg.net to change their password.

Then, take their new password and set it in each system using perl (I'm sure it either has a library for each system you are talking about or you can drop out to a shell from perl to change passwords via the Unix shell.)

The hard part about using one system to change all passwords, ie, having all passwords set from you Windows Box or from your Unix shell is that without special software, each system does a pretty good job making sure you don't know what the password is by using several schemes to hide and encrypt it (that's important...). By forcing everyone to change it in one place, you avoid having to buy the propietary libraries which notify a central system of a password change.

If that sounds too complex, get ahold of me, and I'll be happy to help more for a small fee or some barter.

Password changing is ignorant

[Eagle7]

I don't know why people harp on about changing your password as a matter of policy. In my experience, this just means that employees will find the simplest system that satisfies the hueristics, and end up with insecure passwords - such as j0e01, 02j0e, j030e, j004e, j0e05, etc - since coming up with f$6hq7# and remembering it every 90 days is a PITA. So your policy makes someone who *would* choose a secure password choose insecure ones becuase they don't want to keep switchng. (or worse, they write them down!!!)

On the other hand, you could educate employees on the benefits of secure passwords, tell them that as long as the pick a secure password, never share it, and never write it down, they can keep it. Yeah, some people will break the rules - but they'll have insecure passwords under any circumstances. But the folks who actually try will end up more secure.

After all... as long as I protect its use and don't share it or record it, f$6hq7# is as secure in a year as it was the day I defined it.

Re:Password changing is ignorant

[Bazzargh]

Reminds me of one of my old corporate's security faux pas...I rarely used the crappy mainframe system, so quite often when I did my password had expired and I had to call the helpdesk to get it reset...

Me: I need a password reset
Drone: Fine, whats your name and secure PIN?
Me: John Doe, username ******, pin no ****
Drone: hang on...that doesnt appear to be correct, are you sure thats the PIN?
Me: Yes, I've been using that PIN for years[1]
Drone: ok, I'll reset your PIN to ****[2]
Me: thanks, can you reset my password then?
Drone: sure...your password is now ******. thanks for calling
*click*[3]

[1] herein being the first flaw in the security system. The passwords dont change, but if you can guess the PIN you can get it reset (and its only 4 digits)
[2] and here's the doozy. I could have been anyone, and now I have got the PIN reset. Internal security tried to get hold of me when I mentioned this incident on a company newsgroup, presumably to sack the person that reset my PIN.
[3] Mission accomplished, identity stolen. At this point I considered calling back claiming to be our venerable CEO.

Re:Password changing is ignorant

[perljon]

Some how, 30 days after you set the password to f$6hq7#, it was compromised. Even though it was a great password, I grabbed the /etc/passwd file and brute forced it, or I sniffed your password when you used telnet instead of ssh, I looked in through a window and a telescope and watched your fingers, I put a keyboard sniffer on your keyboard, I used high-tech equipment to detect the electrical impulses from the key, or I even watched you type it in (after all, it takes a little longer since you are a pecker instead of a typer.) Long story short, I grabbed your password. If you have passwords reset every 90 days, I have only compromised your password for 60 days instead of a year.

The trick is educating your users on how to create good passwords from pass phrases. ie, I like to buy expensive high tech toys becomes IlTbEhTt Now, do some number replacements for for Capital letters, you make the rules, but make your own. I will replace capital I's with 1's and Capital E's with 3's in this example. 1lTb3hTt What we come up with is an easily remembered password because you know the pass phrase and you know the algoryhtm you used to create the password. (took my last sentence, took the first letter, replaced I's with 1's, E's with 3's, o's with 0's.)

related : Lucent's secstore / factotum

[DrSkwid]

single secure sign-on for multiple domains

here
or
[pdf]

LDAP, of course.

[-dsr-]

Just run a central LDAP server. Everything you've mentioned can authenticate from LDAP. For details, just Google for LDAP and the OS name and "password".

pam/nss_ldap from padl.com

[Pointer80]

I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.

Here's some links to Linux/AD integration from padl.com's doc section:

Active Directory and Linux

Linux-AD Integration

Active Directory and nss_ldap

/pointer

MS API for this is documented

[Krelnik]

FWIW, these tools that Microsoft provides (see excellent links in parent message) are actually built on a Windows API that is publicly documented (see "password filter") and they even offer free sample source code.

So if you have some home-grown system you need to sync with, or you just like to roll your own solutions, you can do it. Essentially there is a DLL you load on the server that gets called every time a password is changed. It can then approve or deny the change, but more importantly since it sees the password it can do the sync. This is how the PASSFILT.DLL is implemented as well as the Novell and Unix solutions mentioned in the parent of this post.