Synchronizing Forced Password Changes?

aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"

winbind

[dago]

winbind may be a possible solution : your unix boxes authenticate to the NT domain

Winbind is an nss switch module to map Windows NT Domain databases to Unix.

In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.

Use of pam modules (pam_smb, pam_ntdom) also works (on pam systems like linux or solaris) very well.

MS utils for synchronizing with other systems

[fluor2]

Microsoft actually made a program that syncs with Novell passwords. (Here). For Unix, use this link for finding more information. Especially this and this.

Re:Password changing is ignorant

[perljon]

Some how, 30 days after you set the password to f$6hq7#, it was compromised. Even though it was a great password, I grabbed the /etc/passwd file and brute forced it, or I sniffed your password when you used telnet instead of ssh, I looked in through a window and a telescope and watched your fingers, I put a keyboard sniffer on your keyboard, I used high-tech equipment to detect the electrical impulses from the key, or I even watched you type it in (after all, it takes a little longer since you are a pecker instead of a typer.) Long story short, I grabbed your password. If you have passwords reset every 90 days, I have only compromised your password for 60 days instead of a year.

The trick is educating your users on how to create good passwords from pass phrases. ie, I like to buy expensive high tech toys becomes IlTbEhTt Now, do some number replacements for for Capital letters, you make the rules, but make your own. I will replace capital I's with 1's and Capital E's with 3's in this example. 1lTb3hTt What we come up with is an easily remembered password because you know the pass phrase and you know the algoryhtm you used to create the password. (took my last sentence, took the first letter, replaced I's with 1's, E's with 3's, o's with 0's.)

pam/nss_ldap from padl.com

[Pointer80]

I'm not too familiar with VMS, but Linux can and IRIX might (not support is mentioned for it) be able to use the pam_ldap/nss_ldap modules from padl.com to authenticate against Active Directory. IIRC, this requires SFU, but I could be wrong. There is a document about it in the tarball for nss_ldap.

Here's some links to Linux/AD integration from padl.com's doc section:

Active Directory and Linux

Linux-AD Integration

Active Directory and nss_ldap

/pointer

MS API for this is documented

[Krelnik]

FWIW, these tools that Microsoft provides (see excellent links in parent message) are actually built on a Windows API that is publicly documented (see "password filter") and they even offer free sample source code.

So if you have some home-grown system you need to sync with, or you just like to roll your own solutions, you can do it. Essentially there is a DLL you load on the server that gets called every time a password is changed. It can then approve or deny the change, but more importantly since it sees the password it can do the sync. This is how the PASSFILT.DLL is implemented as well as the Novell and Unix solutions mentioned in the parent of this post.