New passwd sync option

Daniel Grandjean grandjea at dgrsunm.epfl.ch
Wed Apr 8 12:55:27 GMT 1998


Hello All,

As the password synchronisation is a hot topic

For the winter semester, I'll plan to put a new password
synchronisation scheme in production.
A main design goal is to lower the number of unencrypted
password visible on our net. (and easy to administer)

-I've set up a securized apache server with SSL

-A cgi-bin perl script
	check the client
	ask for the username / password of the user
	and check it against the NIS+ database,
	and propose the change of the password

As the script get the password in cleartext it can
	-check the proposed password validity (dictionary check...)
	-change the NIS+ password
	-change the NIS+ credential
	-change the smbpasswd (on samba NTDOM or NT PDC)
	-change the APOP passwd database
	(any additional synchronisation take place here)
And then give some personalized info/status to the user.

I'm wondering if someone is already using/building something
similar and have some hint about this setup in real life.
It's working on my brute force prototype (which is not well securised).
-It also a matter of time as this is not my first priority job-

Notes:
Its my choice of having the NIS+ as primary authentification
database. (I am SUN shop, but Wintel is coming)  :-{
User Browsers are using 128-bit key RC4 cipher (fortify)
If needed, Weak link between the apache server and machine
synchronized will use SKIP IP encrytion. (i.e apache<-> NT PDC ?)

Thanks
Daniel.
_
Daniel Grandjean, Swiss Federal Institute of Technology        __  __
Address:     EPFL SI-DGR, CH-1015 Lausanne, Switzerland       |  \/  |
E-mail:      Daniel.Grandjean at epfl.ch                         |o ()o _
Phone:       +41 21 693 27 24   (Central European Time)       |__/\__/
Fax:         +41 21 693 27 27                                 
WWW:         http://dgrwww.epfl.ch                              \__/ 



More information about the samba-ntdom mailing list