New passwd sync option
Daniel Grandjean
grandjea at dgrsunm.epfl.ch
Wed Apr 8 12:55:27 GMT 1998
Hello All,
As the password synchronisation is a hot topic
For the winter semester, I'll plan to put a new password
synchronisation scheme in production.
A main design goal is to lower the number of unencrypted
password visible on our net. (and easy to administer)
-I've set up a securized apache server with SSL
-A cgi-bin perl script
check the client
ask for the username / password of the user
and check it against the NIS+ database,
and propose the change of the password
As the script get the password in cleartext it can
-check the proposed password validity (dictionary check...)
-change the NIS+ password
-change the NIS+ credential
-change the smbpasswd (on samba NTDOM or NT PDC)
-change the APOP passwd database
(any additional synchronisation take place here)
And then give some personalized info/status to the user.
I'm wondering if someone is already using/building something
similar and have some hint about this setup in real life.
It's working on my brute force prototype (which is not well securised).
-It also a matter of time as this is not my first priority job-
Notes:
Its my choice of having the NIS+ as primary authentification
database. (I am SUN shop, but Wintel is coming) :-{
User Browsers are using 128-bit key RC4 cipher (fortify)
If needed, Weak link between the apache server and machine
synchronized will use SKIP IP encrytion. (i.e apache<-> NT PDC ?)
Thanks
Daniel.
_
Daniel Grandjean, Swiss Federal Institute of Technology __ __
Address: EPFL SI-DGR, CH-1015 Lausanne, Switzerland | \/ |
E-mail: Daniel.Grandjean at epfl.ch |o ()o _
Phone: +41 21 693 27 24 (Central European Time) |__/\__/
Fax: +41 21 693 27 27
WWW: http://dgrwww.epfl.ch \__/
More information about the samba-ntdom
mailing list