Naomaru Itoi Peter Honeyman CITI

Slides:



Advertisements
Similar presentations
Microsoft Windows NT Embedded 4.0
Advertisements

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
Setting up in Outlook Express. Select “Tools” from the toolbar menu.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Module 2: Managing User and Computer Accounts
Ch 11 Managing System Reliability and Availability 1.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.
User Management in LHCb Gary Moine, CERN 29/08/
The Operator Neutral Access At KistaIP. KistaIP ? Is a student dorm with 144 apartments.
Introduction to VPN for MVS. Presented by Kevin D. Burney Computer Systems and Network Architect Office of the Vice Chancellor of Budget and Finance.
Beams Division Local Administrators Meeting 9/17/02 Brian Drendel.
8.1 © 2004 Pearson Education, Inc. Exam Managing and Maintaining a Microsoft® Windows® Server 2003 Environment Lesson 8: Introducing Computer Accounts.
1 User Account Administration Introduction to User Accounts Planning New User Accounts Creating User Accounts Creating User Profiles Creating Home Directories.
User Manager for Domains.  Manages the user accounts in a domain  It is located in the PDC  While User Manager exists in each NT machine, but it is.
5.1 © 2004 Pearson Education, Inc. Lesson 5: Administering User Accounts Exam Microsoft® Windows® 2000 Directory Services Infrastructure Goals 
Module 10: Configuring Windows XP Professional to Operate in Microsoft Networks.
Using Novell iChain ® 2 to Deliver Internal Network Access without a VPN Brian Six Technical Account Manager Novell, Inc.
Windows Security. Security Windows 2000/XP Professional security oriented Authentication Authorization Internet Connection Firewall.
DIT314 ~ Client Operating System & Administration CHAPTER 5 MANAGING USER ACCOUNTS AND GROUPS Prepared By : Suraya Alias.
Secure Operating Systems Lesson C: Linux Security Features.
Breno de MedeirosFlorida State University Fall 2005 Windows servers The NT security model.
TWSd - Security Workshop Part I of III T302 Tuesday, 4/20/2010 TWS Distributed & Mainframe User Education April 18-21, 2010  Carefree Resort  Carefree,
Windows NT ® Single Sign On Cross Platform Applications (Part II) John Brezak Program Manager Windows NT Security Microsoft Corporation.
W2K and Kerberos at FNAL Jack Mark
Network Security. Need for security  Connecting to the Internet is quickly becoming a necessity for companies/ individuals  Understand the security.
CAS Lightning Talk Jasig-Sakai 2012 Tuesday June 12th 2012 Atlanta, GA Andrew Petro - Unicon, Inc.
Windows NT 4.0. NT Architecture Executive Services I/O Manager –cache manager –file systems –network drivers –device drivers Object Manager Security.
CHAPTER Creating and Managing Users and Groups. Chapter Objectives Explain the use of Local Users and Groups Tool in the Systems Tools Option to create.
Guide to MCSE , Second Edition, Enhanced1 The Windows XP Security Model User must logon with: Valid user ID Password User receives access token Access.
Using RADIUS as a AAA backbone for Windows networks Kostas Kalevras NTUA Network Operations Centre.
W2K and Kerberos at FNAL Jack Schmidt Mark Kaletka.
1 Linux Security. 2 Linux is not secure No computer system can ever be "completely secure". –make it increasingly difficult for someone to compromise.
Hacking Windows 9X/ME. Hacking framework Initial access physical access brute force trojans Privilege escalation Administrator, root privileges Consolidation.
Computer Security Risks for Control Systems at CERN Denise Heagerty, CERN Computer Security Officer, 12 Feb 2003.
Module 3: Planning Administrative Access. Overview Determining the Appropriate Administrative Model Designing Administrative Group Strategies Planning.
SCSC 455 Computer Security Chapter 3 User Security.
CHAPTER 5 MANAGING USER ACCOUNTS & GROUPS. User Accounts Windows 95, 98 & Me do not need a user account like Windows XP Professional to access computer.
Michael Tinker September 16, 2004
Lecture – Authentication Services
Windows XP John Morano. Logging into Windows XP XP is a secure operating system – users must log into their own workstation XP is a secure operating system.
LINUX Presented By Parvathy Subramanian. April 23, 2008LINUX, By Parvathy Subramanian2 Agenda ► Introduction ► Standard design for security systems ►
Business Objects XIr2 Windows NT Authentication Single Sign-on 18 August 2006.
4 Securing Secure the hardware –Lock the server room and other ways to get access to the hardware. –Password protect the BIOS-setup Secure the NOS.
1 E-Site - FTP Services Setup / install guide. 2 About FTP services can run on any desired port(s) Runs as a windows service Works for all sites installed.
The Umbrella Project Authentication The minimum user information possible is stored centrally to avoid Data Protection issues. The Authentication is done.
Chapter 2 Operating Systems
Getting Connected to NGS while on the Road…
Chapter Objectives In this chapter, you will learn:
Nassau Community College
User Portal Error Messages
Authenticate local Linux accounts against Windows Active Directory
Starting the computer. Every day we are using an operating system and most specifically a Windows operating system but most of us are not aware of the.
PAM Pluggable Autthentication Modules
Transarc AFS Client for NT
Getting Connected to NGS while on the Road…
(Authentication / Authorization)
Internet Applications (Telnet, FTP)
Presentation transcript:

Naomaru Itoi Peter Honeyman CITI PAM GINA Naomaru Itoi Peter Honeyman CITI

The Single Signon Problem login ftp telnet klogin Kerberos SK3 DCE passwd Many different realms of authentication authenticated services authentication systems

The Problem (II) login ftp telnet klogin Kerberos SK3 DCE passwd Many user tokens required authenticated services authentication systems

The Problem (III) login ftp telnet klogin Kerberos SK3 DCE passwd Lots of coding required authenticated services authentication systems

Solution: Pluggable Authentication Modules PAM login ftp telnet klogin Kerberos SK3 DCE etc. etc. Kerberos SK3 DCE authenticated services authentication systems

PAM Services Available Authentication Is password correct? Can I get my tokens? Account Management Am I allowed to use this service now? Session Management Accounting, home directory access Password Management Manage password changes

PAM - Configurable by Service Module Control Options login auth required pam_unix.so sufficient pam_dce.so use_unix optional pam_krb4 session account nowarn # telnet pam_skey.so debug nocharge

So What About NT? ?

NT Desktops States managed by WINLOGON Transitions managed by GINA logged off (secure) logged on screen saver or lock States managed by WINLOGON Transitions managed by GINA

GINA Graphical Identification and Authentication Interacts with WINLOGON, manages desktop state transitions Establishes state for network providers NT SDK includes GINA source code Allan Bjorklund GINA starting point

Problems with GINA GINA is replaceable … this is great. Only one GINA in a workstation Network providers often provide custom GINAs Kerberos-GINA and Netware-GINA cannot be used together in the workstation GINA is hard to develop Workstation hangs if GINA has bugs, forcing reboot Inconvenient to debug

NI_PAM Components NI_PAM.dll NI_*.dll NI_GINA.dll Called by WINLOGON. Calls ni_authenticate() in NI_PAM. If NI_PAM succeeds, the user logs on. NI_PAM.dll Reads configuration tables in registry, calls appropriate NP specific modules NI_*.dll NP specific modules

NI_PAM Structure Winlogon.exe WlxLoggedOffSAS() NI_GINA.dll ni_authenticate() Config.table NI_PAM.dll ni_sm_authenticate() NI_KRB4.dll NI_KRB5.dll NI_NW.dll NI_SK3.dll Kerberos-4 Kerberos-5 Netware SK3

Current Status NI_GINA authentication NI_PAM authentication, password NI_KRB4, NI_NW authentication, password NI_KRB5 authentication

Results Separation between NI_GINA and other DLLs aids development, debugging Modification in NI_GINA is pretty small Can test NI_PAM and NP modules without rebooting machine every time

Future Directions Smartcard support Password mapping Static account / profile support Error recovery in changing password

Other CITI Security Projects Secure packet vault Secure videoconferencing Kerberos/JavaCard integration Authenticated network connections

Any Questions? http://www.citi.umich.edu/

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.