Pluggable Authentication Module for Windows NT

Naomaru ItoiPeter HoneymanCITIUniversity of MichiganAnn Arbor

Problems with NT authentication

• Lack of integrated configuration method in heterogeneous environment

• Lack of single sign-on

• Hard to develop

Implement PAM in NT GINA

Outline of this presentation

• What is GINA?

• Problems with GINA

• What is PAM?

• Design of PAM GINA

• Performance

• Conclusion

PPT Slide

NT Desktops

logged off

screen saver

or lock

logged on

• States managed by WINLOGON

• Transitions invoke GINA for authorization

PPT Slide

GINA

• Graphical Identification and Authentication

• Responsible for user authentication

• Replaceable DLL

• Sample GINA source code provided by Microsoft

• Communicates with authentication systems

The Single Signon Problem

Local

Kerberos

Netware

smartcard

authenticated

services

authentication

systems

Many different

realms of

authentication

MS-GINA

print

mail

NWLogon

PPT Slide

Changes in authentication systems

• New network authentication protocols

• Smartcard

• Biometric identification

PPT Slide

authenticated

services

authentication

systems

Many user

tokens

required

The Problem (II)

Local

Kerberos

Netware

smartcard

MS-GINA

print

mail

NWLogon

Single Sign-On with GINA

• Replace MS-GINA with customized GINA

• Get credentials at logon

• Kerberized GINA, Netware GINA, etc.

Problems with GINA

• Hard to configure
  • Must rewrite and replace GINA to change security policy
  • Misconfiguration or bug in GINA makes NT unbootable
  • Only one GINA in a workstation

• Hard to develop
  • Testing requires reboot
  • Inconvenient to debug

PPT Slide

So … What is PAM?

?

Pluggable Authentication Module

• UNIX authentication middleware

• Flexible, integrated configuration

• Implemented in Linux and Solaris-2

• de facto standard authentication middleware (OSF-DCE RFC 86.0)

PPT Slide

Lots of coding

required

authenticated

services

authentication

systems

UNIX without PAM

password

Kerberos

S/Key

smartcard

login

ftp

telnet

mail

PPT Slide

authenticated

services

authentication

systems

password

smartcard

S/Key

PAM

UNIX with PAM

Kerberos

Configuration

Table

login

ftp

telnet

mail

password

Kerberos

S/Key

smartcard

PAM - Configurable by Service

PAM advantages

• System/security administrator
  • Flexible configuration
  • One configuration table for whole environment
  • Promotes consistent security policy in heterogeneous computing environment

• User
  • Single sign-on

• Developer
  • Debug components independently

PAM GINA

• PAM authentication functionality

• PAM configuration table

• Separate DLLs for GINA, PAM, and authentication system specific modules

NI_PAM Structure

Winlogon

NI_GINA

NI_PAM

NI_KRB4

NI_KRB5

NI_NW

LSA

WlxLoggedOffSAS()

Kerberos4

Kerberos5

Netware4.0

Config table

in Registry

Implementation

• Minimum modification to GINA

• Allan Bjorklund GINA starting point

• Added about 10 lines of code

Current Status

• NI_GINA

• NI_PAM

• NI_KRB4, NI_KRB5
  • Supports MIT MINK and SnapShot-2

• NI_NW
  • Supports Netware-4.0

• Limited support for smartcard

Security Considerations

• NI_PAM component is secure

• Relies on NT security

• One password for all realms is a problem

• Smartcard should play a role

Performance

• PAM is fast

User

Logon

PAM

End

K5

End

K5

Start

PAM

Start

0.77

299

0.09

0.05

(ms)

PAM GINA advantages

• Make system administrator’s life easier
  • One flexible configuration table for all computers in an environment

• Make user’s life easier
  • Single sign-on eliminates many concerns about authentication systems

• Make developer’s life easier
  • Permits development and debugging without rebooting

Questions?

http://www.citi.umich.edu/

GINA related papers

Smartcard related papers

PAM Services Available

• Authentication

Is password correct? Can I get my tokens?

• Account Management

Am I allowed to use this service now?

• Session Management

Accounting, home directory access

• Password Management

Manage password changes

PPT Slide

Winlogon, GINA and LSA

Winlogon

LSA

GINA

Can a user logon?

Local Authentication

Authentication

Systems

Future Direction

• Smartcard

• Transarc NT-AFS support

• Static account / profile support