Presentation is loading. Please wait.

Presentation is loading. Please wait.

Naomaru Itoi Peter Honeyman CITI

Published byScarlett Hicks Modified over 6 years ago

Similar presentations

Presentation on theme: "Naomaru Itoi Peter Honeyman CITI"— Presentation transcript:

1 Naomaru Itoi Peter Honeyman CITI
PAM GINA Naomaru Itoi Peter Honeyman CITI

2 The Single Signon Problem
login ftp telnet klogin Kerberos SK3 DCE passwd Many different realms of authentication authenticated services authentication systems

3 The Problem (II) login ftp telnet klogin Kerberos SK3 DCE passwd
Many user tokens required authenticated services authentication systems

4 The Problem (III) login ftp telnet klogin Kerberos SK3 DCE passwd
Lots of coding required authenticated services authentication systems

5 Solution: Pluggable Authentication Modules
PAM login ftp telnet klogin Kerberos SK3 DCE etc. etc. Kerberos SK3 DCE authenticated services authentication systems

6 PAM Services Available
Authentication Is password correct? Can I get my tokens? Account Management Am I allowed to use this service now? Session Management Accounting, home directory access Password Management Manage password changes

7 PAM - Configurable by Service
Module Control Options login auth required pam_unix.so sufficient pam_dce.so use_unix optional pam_krb4 session account nowarn # telnet pam_skey.so debug nocharge

8 So What About NT? ?

9 NT Desktops States managed by WINLOGON Transitions managed by GINA
logged off (secure) logged on screen saver or lock States managed by WINLOGON Transitions managed by GINA

10 GINA Graphical Identification and Authentication
Interacts with WINLOGON, manages desktop state transitions Establishes state for network providers NT SDK includes GINA source code Allan Bjorklund GINA starting point

11 Problems with GINA GINA is replaceable … this is great.
Only one GINA in a workstation Network providers often provide custom GINAs Kerberos-GINA and Netware-GINA cannot be used together in the workstation GINA is hard to develop Workstation hangs if GINA has bugs, forcing reboot Inconvenient to debug

12 NI_PAM Components NI_PAM.dll NI_*.dll NI_GINA.dll
Called by WINLOGON. Calls ni_authenticate() in NI_PAM. If NI_PAM succeeds, the user logs on. NI_PAM.dll Reads configuration tables in registry, calls appropriate NP specific modules NI_*.dll NP specific modules

13 NI_PAM Structure Winlogon.exe WlxLoggedOffSAS() NI_GINA.dll
ni_authenticate() Config.table NI_PAM.dll ni_sm_authenticate() NI_KRB4.dll NI_KRB5.dll NI_NW.dll NI_SK3.dll Kerberos-4 Kerberos-5 Netware SK3

14 Current Status NI_GINA authentication NI_PAM authentication, password
NI_KRB4, NI_NW authentication, password NI_KRB5 authentication

15 Results Separation between NI_GINA and other DLLs aids development, debugging Modification in NI_GINA is pretty small Can test NI_PAM and NP modules without rebooting machine every time

16 Future Directions Smartcard support Password mapping
Static account / profile support Error recovery in changing password

17 Other CITI Security Projects
Secure packet vault Secure videoconferencing Kerberos/JavaCard integration Authenticated network connections

18 Any Questions?

Download ppt "Naomaru Itoi Peter Honeyman CITI"

Similar presentations

Microsoft Windows NT Embedded 4.0

Microsoft Windows NT Embedded 4.0
Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.

Open-source Single Sign-On with CAS (Central Authentication Service) Pascal Aubry, Vincent Mathieu & Julien Marchal Copyright © 2004 – ESUP-Portail consortium.
FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.

FIspace Security Components FIspace Security Components NetFutures 2015 FIspace project Javier Romero Negrín Javier Hitado Simarro ATOS Serdar Arslan KoçSistem.
Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.

Module 6: Configuring Windows XP Professional to Operate in a Microsoft Network.
Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.

Strong Authentication Project CD/DCD/Computer Security Team Fermi National Accelerator Laboratory Mark Kaletka Matt Crawford.
1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.

1 Lecture 12: Kerberos terms and configuration phases –logging to network –accessing remote server replicated KDC multiple realms message privacy and integrity.
MCDST 70-271: Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.

MCDST : Supporting Users and Troubleshooting a Microsoft Windows XP Operating System Chapter 4: Troubleshoot System Startup and User Logon Problems.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.

11 SUPPORTING LOCAL USERS AND GROUPS Chapter 3. Chapter 3: Supporting Local Users and Groups2 SUPPORTING LOCAL USERS AND GROUPS  Explain the difference.
(Remote Access Security) AAA. 2 Authentication User named flannery dials into an access server that is configured with CHAP. The access server will.

(Remote Access Security) AAA. 2 Authentication User named "flannery" dials into an access server that is configured with CHAP. The access server will.
Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.

Report Distribution Report Distribution in PeopleTools 8.4 Doug Ostler & Eric Knapp 7264.
Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.

Understanding Networks I. Objectives Compare client and network operating systems Learn about local area network technologies, including Ethernet, Token.
Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.

Kerberos Presented By: Pratima Vijayakumar Rafi Qureshi Vinay Gaonkar CS 616 Course Instructor: Dr. Charles Tappert.
Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.

Module 2: Planning to Install SQL Server. Overview Hardware Installation Considerations SQL Server 2000 Editions Software Installation Considerations.
Setting up Email in Outlook Express. Select “Tools” from the toolbar menu.

Setting up in Outlook Express. Select “Tools” from the toolbar menu.
1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.

1 Chapter Overview Creating User and Computer Objects Maintaining User Accounts Creating User Profiles.
Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.

Getting Connected to NGS while on the Road… Donna V. Shaw, NGS Convocation.
Module 2: Managing User and Computer Accounts

Module 2: Managing User and Computer Accounts
Ch 11 Managing System Reliability and Availability 1.

Ch 11 Managing System Reliability and Availability 1.
Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Ins and Outs of Authenticating Users Requests to IIS 6.0 and ASP.NET Chris Adams Program Manager IIS Product Unit Microsoft Corporation.

Similar presentations

Ads by Google