jpasswd A common password change client for Unix and NT Marty Wise Jefferson Lab October, 2000.

Slides:

Advertisements

Similar presentations

This course is designed for system managers/administrators to better understand the SAAZ Desktop and Server Management components Students will learn.

Advertisements

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Single Sign-On with GRID Certificates Ernest Artiaga (CERN – IT) GridPP 7 th Collaboration Meeting July 2003 July 2003.

METALOGIC s o f t w a r e © Metalogic Software Corporation DACS Developer Overview DACS – the Distributed Access Control System.

ELAG Trondheim Distributed Access Control - BIBSYS and the FEIDE solution Sigbjørn Holmslet, BIBSYS, Norway Ingrid Melve, UNINET, Norway.

Web Plus Overview Division of Cancer Prevention and Control National Center for Chronic Disease Prevention and Health Promotion CDC Registry Plus Training.

Architecture & Integration: CP v x Platforms: Windows NT sp5(6a)/Solaris 2.8 iWS Client(s) Netscape/IE 4.0+ Java Servlet Engine (Java Servlet API)

VxWorks Real-Time Kernel Connectivity

DESIGNING A PUBLIC KEY INFRASTRUCTURE

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 1: Introduction to Windows Server 2003.

Revising Riverbot Outline and Specifications Christian Skalka.

LYU9901-Travel Net LYU9901-Travel Net Supervisor: Prof. Michael R. Lyu Students: Ho Chi Ho Malcolm Lau Chi Ho Arthur (Presentation on )

Lecture 4: Introduction to PHP 3 PHP & MySQL

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

Slide 1 of 9 Presenting 24x7 Scheduler The art of computer automation Press PageDown key or click to advance.

Apache Jakarta Tomcat Suh, Junho. Road Map Tomcat Overview Tomcat Overview History History What is Tomcat? What is Tomcat? Servlet Container.

Asynchronous Web Services Approach Enrique de Andrés Saiz.

Corso referenti S.I.R.A. – Modulo 2 Local Security 20/11 – 27/11 – 05/12 11/12 – 13/12 (gruppo 1) 12/12 – 15/12 (gruppo 2) Cristiano Gentili, Massimiliano.

Securing LAMP: Linux, Apache, MySQL and PHP Track 2 Workshop PacNOG 7 July 1, 2010 Pago Pago, American Samoa.

SubVersioN – the new Central Service at DESY by Marian Gawron.

BASIC NETWORK CONCEPTS (PART 6). Network Operating Systems NNow that you have a general idea of the network topologies, cable types, and network architectures,

What’s New in Kinetic Task 3.0 Ben Christenson 3 About Me  Ben Christenson  Employee at Kinetic Data for 13 years and a member of the Product Development.

September 18, 2002 Introduction to Windows 2000 Server Components Ryan Larson David Greer.

Copyright © 2006, SAS Institute Inc. All rights reserved. What Is New in SAS Profitability Management (PrM) 2.1? Authors: Jack Zhang Solution & Version:

Module 8: Configuring Virtual Private Network Access for Remote Clients and Networks.

About Dynamic Sites (Front End / Back End Implementations) by Janssen & Associates Affordable Website Solutions for Individuals and Small Businesses.

Global Customer Partnership Council Forum | 2008 | November 18 1IBM - GCPC MeetingIBM - GCPC Meeting IBM Lotus® Sametime® Meeting Server Deployment and.

W. Sliwinski – eLTC – 7March08 1 LSA & Safety – Integration of RBAC and MCS in the LHC control system.

Microsoft Active Directory(AD) A presentation by Robert, Jasmine, Val and Scott IMT546 December 11, 2004.

1 Apache. 2 Module - Apache ♦ Overview This module focuses on configuring and customizing Apache web server. Apache is a commonly used Hypertext Transfer.

Online Translation Service Capstone Design Eunyoung Ku Jason Roberts Jennifer Pitts Gregory Woodburn Kim Tran.

NMED 3850 A Advanced Online Design January 12, 2010 V. Mahadevan.

Lesson 17-Windows 2000/Windows 2003 Server Security Issues.

LCG Middleware Testing in 2005 and Future Plans E.Slabospitskaya, IHEP, Russia CERN-Russia Joint Working Group on LHC Computing March, 6, 2006.

Computer Emergency Notification System (CENS)

© 2006 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice HP Library Encryption - LTO4 Key.

authenticated networked guided environment for learning - secure integration of learning environments with digital libraries - Current.

VirtuaGrades A Web-Based Gradebook Application Don Tinsley CS 470 Project.

GOAL User Interactive Web Interface Update Pages by Club Officers Two Level of Authentication.

UMBC’s WebAuth Robert Banz – UMBC

1 PUPPET AND DSC. INTRODUCTION AND USAGE IN CONTINUOUS DELIVERY PROCESS. VIKTAR VEDMICH PAVEL PESETSKIY AUGUST 1, 2015.

Getting started DIRAC Project. Outline  DIRAC information system  Documentation sources  DIRAC users and groups  Registration with DIRAC  Getting.

Nash, Smith & Adler - July, Spreadsheet Auditing and Change Analysis John Nash Neil Smith Andy Adler.

Configuring and Troubleshooting Identity and Access Solutions with Windows Server® 2008 Active Directory®

System Center Lesson 4: Overview of System Center 2012 Components System Center 2012 Private Cloud Components VMM Overview App Controller Overview.

CSI 3125, Preliminaries, page 1 SERVLET. CSI 3125, Preliminaries, page 2 SERVLET A servlet is a server-side software program, written in Java code, that.

ClearQuest XML Server with ClearCase Integration Northwest Rational User’s Group February 22, 2007 Frank Scholz Casey Stewart

Implementing Server Security on Windows 2000 and Windows Server 2003 Fabrizio Grossi.

SPI NIGHTLIES Alex Hodgkins. SPI nightlies  Build and test various software projects each night  Provide a nightlies summary page that displays all.

Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.

Pavel Nevski DDM Workshop BNL, September 27, 2006 JOB DEFINITION as a part of Production.

Securing Web Applications Lesson 4B / Slide 1 of 34 J2EE Web Components Pre-assessment Questions 1. Identify the correct return type returned by the doStartTag()

CMS Luigi Zangrando, Cern, 16/4/ Run Control Prototype Status M. Gulmini, M. Gaetano, N. Toniolo, S. Ventura, L. Zangrando INFN – Laboratori Nazionali.

Online Voting System by Sanghun Chi ECE345. Introduction Traditional voting system inefficient. Takes time and human resources. Does not give an instant.

INFSO-RI Enabling Grids for E-sciencE GUMS vs. LCMAPS Oscar Koeroo.

Developing a Secure Internet Service SE Linux in Production Russell Coker Linux Consultant.

Administering the SOWN Network David R Newman & Chris Malton.

Work Plan for 2008 – Mid Year Client Update

REDCap General Overview

Consulting Services JobScheduler Architecture Decision Template

HR Portal Team Dr. Ashraf Armoush Supervisor Ala’eddeen Awwad

Cloud based Open Source Backup/Restore Tool

Common Security Mistakes

IBM Certified WAS 8.5 Administrator

Simplified Development Toolkit

Public Key Infrastructure from the Most Trusted Name in e-Security

In-house Developed Library Solutions

A Scripting Server for Domain Automation Tasks

Presentation transcript:

jpasswd A common password change client for Unix and NT Marty Wise Jefferson Lab October, 2000

Authentication Environment Mix of Unix and NT desktop and Server systems –Unix login integrated via NIS –NT Login integrated via NT DCs Various other services use either NIS or NT A FEW others have independent authentication services

Global UIDs For NIS When NIS was configured several years ago, we instituted a policy of registering and synchronizing account ids across all systems.

Other Services using NIS or NT Authentication Cisco RAS login (currently NT, NIS avail.) Apache Web Servers (NIS) MS IIS Web Servers (NT)

Services using Standalone Authentication Netscape Calendar Server Apache Web Servers – some applications use local.htpasswd files.

Why? Reduce helpdesk calls resulting from user confusion over “which password goes where?” Improve overall security through better password management. Enforce password rules

“Catch-22” Users could have NIS-only, NT-only, or accounts on both systems. NIS-only users could not do RAS since it was NT driven. A “Both” user who didn’t have easy access to an NT system could not change their passwords. Password aging on NT eventually locked them out.

Commercial Products Commercial products were reviewed and considered initially. One product seemed useful – SyNTUnix – now defunct. Commercial tools either too expensive/complex, or didn’t offer the right features.

Requirements Provide a single password change client that updates both NIS and NT authentication systems. Provide mechanisms for enforcing site password selection criteria. Provides mechanism to enforce site password history policies. Provide a means to implement password aging on Unix

Additional Objectives Operation of the site or user environment must not depend on this system. Ensure the system is secure, and that security components can be upgraded as technology evolves. Develop infrastructure components that can be re- used for other system management applications. Build the system so that it can evolve to provide additional user account management features.

Considerations Client components must work on Unix, Web Agent components must work on Unix and NT Central CUE configuration provides simple management of the application

Implementation Java is used for almost everything Small native library –JNI for console input (password hiding) –JNI for NIS authentication Some Perl –Agent scripts to interface to NT admin –Agent scripts for PHP For some admin tools

Design Overview Master Controller –Receives, authenticate, validate, queues incoming change requests and feeds back to requester. –Dispatches authenticated “Change Orders” to agent systems. –Provides full debug and accountability logging for all changes processed by the system. Change Request Clients –Issue signed requests for changes to system parameters (e.g. -- user’s password) Agents –Accept Change Orders from a Master Controller and modifies the host system accordingly.

MySQL DB CR Server Dispatcher Master Controller NIS Agent NT Agent NT Agent Web server client Web client Jpasswd System

Master Controller A MySQL database is used as a repository for all system data, including logs, etc. A server process provides an interface for clients to submit “Change Requests” for action A dispatcher is responsible for issuing “Change Orders” to agent systems distributed throughout our CUE environment

Database MySQL is used MySQL security disallows changes from other nodes. MySQL connection authentication is therefore on a single machine.

CR Server Multithreaded server allows simultaneous connections from numerous clients, serializes DB accesses and provides record locking function (via MySQL user locks) Authentication, Validation, Access Management, etc. all currently provided in the CR server. When a request is received, it is reviewed for compliance with site policies. Failures are returned to the requester with corrective information.

Change Requests Implemented as serialized java objects Sensitive data is encrypted using PK techniques (no shared secrets). Requesting node is not authenticated. Signing technique is currently simple password, hooks for certificate based signing in place. Not appropriate for most client applications due to inadequate PKI.

Dispatcher The dispatcher currently polls a DB queue for changes that are pending and issues the appropriate orders to the agent systems.

Change Orders Flow from MasterController to Agents. Certificate-based session providing authentication. Currently 1 CR  1 CO, dispatcher issues the same order to all agents, who act on it depending on content.

Web Server An Apache web server is provided on the MC (running SSL and doing NIS auth.) Provides a “low budget” management interface until Change-Request-based tools are available. Runs a series of PHP scripts to view database, modify config parameters, etc.

Miscellaneous processes Various “cron” tasks run on the Master Controller –Nightly audit task – not implemented yet. –Password aging check – not yet implemented

Clients Unix command line client operates very much like traditional “passwd” command Web Server Client –Based on a Java Servlet –Apache SSL web server –Form-based interface The same underlying code is used for both clients An “admin” mode is available for both that allows CC staff members to modify other’s passwords

Old (original) Clients The original password change clients for both NT and Unix are disabled. This forces all changes through the new system Unix yppasswdd has been shut down NT User accounts are inhibited from changing their own passwords

Agents An agent provides an interface to modify the configuration of services running on a given system. Currently, 2 agents are needed – –Unix agent (to update NIS) –NT agent (to update NT DCs) System allows for redundant agents

Current Status System implemented and online for ~2 months – nearly 600 password changes processed. Minor finishing up to be done at this point. Beginning to transition to development of user account management tools

User Account Management Tools An effort is developing to provide additional account management functions – –User enable/disable –Add / Delete / Deactivate User –Unix / NT Group management –Fully automated account request / creation –Filesystem quota management

Conclusions Development was lengthened due to learning curve associated with security components. The tool has proven quite useful. Help desk calls are expected to decline. People hate the password rules – I suspect they hadn’t been following them previously.