Synchronizing Forced Password Changes? 51
aroobie asks: "I have several different types of servers running at my small office including Windows 2000 Advanced Server, VMS, IRIX, and Linux. My corporate parent wants to force passwords to change every 90 days, which is a good thing, but once a user changes his/her Windows password access to the other servers is denied until I make appropriate changes on the non-Windows servers. Sort of defeats the purpose of changing the password since each users has to give me their new password to make them match on on the servers. Has anyone found a way to synchronize passwords on different systems? Is there software available to do this?"
winbind (Score:5, Informative)
Winbind is an nss switch module to map Windows NT Domain databases to Unix.
In combination with Samba and pam_ntdom, a Unix box will be able to integrate straight into a full Windows NT Domain environment, without needing a Unix Account database.
Use of pam modules (pam_smb, pam_ntdom) also works (on pam systems like linux or solaris) very well.
what a silly question? (Score:1, Flamebait)
Don't be so uppity... (Score:2, Funny)
I'm sure they know of ldap, kerberos, blah, blah, blah... but which should they use? What do their peers think? What have their peers experienced?
Nothing like Unix geeks. We bitch at all the horrible sys admins (mostly Windows, of course ;^), then we redicule them when they ask for our help.
not so simple (Score:2, Insightful)
It works like this: the program asks for you password, which it then validates/authenicates
with the yppasswordd if approved (this means that the string just typed is indeed the one and only true password) it asks a windowsNT box to associate know username to new password.
Don't know if this could also be done in reverse however. Platform independant accounts would be a great plus. Anyone else having a idear?
MS utils for synchronizing with other systems (Score:5, Informative)
Re:MS utils for synchronizing with other systems (Score:2)
The emphasis on "Telnet" is mine.
I have to say that I am hesitant to use any security product whose instructions include the word "telnet" without preceding it with the words "do not use."
-Peter
MS API for this is documented (Score:5, Informative)
So if you have some home-grown system you need to sync with, or you just like to roll your own solutions, you can do it. Essentially there is a DLL you load on the server that gets called every time a password is changed. It can then approve or deny the change, but more importantly since it sees the password it can do the sync. This is how the PASSFILT.DLL [microsoft.com] is implemented as well as the Novell and Unix solutions mentioned in the parent of this post.
A Quick Dirty Solution (Score:4, Interesting)
Then, take their new password and set it in each system using perl (I'm sure it either has a library for each system you are talking about or you can drop out to a shell from perl to change passwords via the Unix shell.)
The hard part about using one system to change all passwords, ie, having all passwords set from you Windows Box or from your Unix shell is that without special software, each system does a pretty good job making sure you don't know what the password is by using several schemes to hide and encrypt it (that's important...). By forcing everyone to change it in one place, you avoid having to buy the propietary libraries which notify a central system of a password change.
If that sounds too complex, get ahold of me, and I'll be happy to help more for a small fee or some barter.
ummm... (Score:2, Flamebait)
its not a stupid ask slashdot question... (Score:2)
LDAP (Score:1, Informative)
Re:LDAP (Score:2, Informative)
Linux, Lotus, MS, Nortel products all happy, as well as internal apps too.
Re:LDAP (Score:2)
> Works good here. Novell's eDirectory has a pwdsyunc module available to sync info/passwords with Active Directory too.
Novell has got more than just one product that can fit this bill - DirXML [novell.com] can synchronize passwords (along with IDs, groups, etc) between eDirectory and NT domains or Active Directory with the Password Sync module (all three pieces now come free with Zen for Desktops 4, BTW), Novell Account Management [novell.com] can synchronize to Mainframe and Unix platforms as well as Windows, not to mention the whole single-signon/Secure Login [novell.com] family of products.
The difference between the various products is partially focus (identity management versus password synch), and partially the choice of authoritative sources (DirXML is VERY flexible).
another vote for ldap (Score:1)
VMS...I don't know.
Re:Different Solution (Score:2)
1) Not cheap
2) Pain in the ass for tech support. There are enough steps that must occur in the correct order that often times people will screw them up and have to call your IT support group
Password changing is ignorant (Score:4, Insightful)
On the other hand, you could educate employees on the benefits of secure passwords, tell them that as long as the pick a secure password, never share it, and never write it down, they can keep it. Yeah, some people will break the rules - but they'll have insecure passwords under any circumstances. But the folks who actually try will end up more secure.
After all... as long as I protect its use and don't share it or record it, f$6hq7# is as secure in a year as it was the day I defined it.
Re:Password changing is ignorant (Score:1, Offtopic)
Not anymore
Re:Password changing is ignorant (Score:4, Interesting)
Me: I need a password reset
Drone: Fine, whats your name and secure PIN?
Me: John Doe, username ******, pin no ****
Drone: hang on...that doesnt appear to be correct, are you sure thats the PIN?
Me: Yes, I've been using that PIN for years[1]
Drone: ok, I'll reset your PIN to ****[2]
Me: thanks, can you reset my password then?
Drone: sure...your password is now ******. thanks for calling
*click*[3]
[1] herein being the first flaw in the security system. The passwords dont change, but if you can guess the PIN you can get it reset (and its only 4 digits)
[2] and here's the doozy. I could have been anyone, and now I have got the PIN reset. Internal security tried to get hold of me when I mentioned this incident on a company newsgroup, presumably to sack the person that reset my PIN.
[3] Mission accomplished, identity stolen. At this point I considered calling back claiming to be our venerable CEO.
Re:Password changing is ignorant (Score:5, Insightful)
The trick is educating your users on how to create good passwords from pass phrases. ie, I like to buy expensive high tech toys becomes IlTbEhTt Now, do some number replacements for for Capital letters, you make the rules, but make your own. I will replace capital I's with 1's and Capital E's with 3's in this example. 1lTb3hTt What we come up with is an easily remembered password because you know the pass phrase and you know the algoryhtm you used to create the password. (took my last sentence, took the first letter, replaced I's with 1's, E's with 3's, o's with 0's.)
Re:Password changing is ignorant (Score:1)
You purpose all of these difficult measures in compromising it: brute force, sniffing, spying. If you were capable of doing it once, why can't you do it again? And if you are truly l33t you would have a backdoor, so that changing my password wouldn't lock you out.
Now go back to what the original poster was talking about. Frequent password changes make users choose simple passwords and/or write them down. I have seen this in practice too many times to count. So now you don't need to brute force my password, just look for a sticky note or run a dictionary attack. This gets worse as I visit 10 sites a day that want a password from me; how can I remember them all?
Re:Password changing is ignorant (Score:2, Insightful)
Also, at each layer you introduce stuff like encryption, good physical security, regular auditing, etc. etc. etc. With each layer, you pay a little more money, at least in administration costs and complexity.
To my point, is changing your password every 90 days going to fix all security problems? No... However, it is a cheaper solution to implement than it is to crack, so it's a no brainer to implement the policy.
But I agree, if you don't do good in other arenas, there is little hope. In a secure environment, regular audits are done. Hopefully, backdoors and open telnet ports are found and fixed. Then when the password is changed or the patch is applied that doesn't allow a cracker to use an exploit to gain the passwd file, you've effectively locked out the cracker.
It's not the end-all be-all security solution, but combined with other security techniques it is affective for a small cost.
Re:Password changing is ignorant (Score:1)
Consider this - I brute force your password, and there are 5 days left before your 30 day password reset. I slap in some custom sneaky aliases for your default shell that look exactly like the password changing utility, and in fact change your password - but lo and behold, it also a> logs it to a file I can read, b> emails it to me, c> insert_random_too_late_you're_already_screwed_act
good thing you reset your password, I almost got in!
* [obviously using the same password everywhere for years sucks because you'll mistype it somewhere in an IRC channel or the wrong window or in front of someone at SOME point, and then it really should be changed - if it's a strong password, it'll be obvious that it's not just a "wrong window" IM/chat reply]
Re:Password changing is ignorant (Score:1)
So you agree that password aging is a good idea. I'm glad we could come togethor on this.
Re:Password changing is ignorant (Score:1)
Re:Password changing is ignorant (Score:2)
If I was writing a password cracker, the first thing I'd have it do is try substituting "3" for "E", etc.
Yet people always have this smug feeling that "warezifying" their password (where the original is often common English) has just made it unbreakably secure. Oh, or tacking a "1" on the end of it.
More importantly, if you're working with non-shadowed passwords and can glean *any* passwords from
Re:Password changing is ignorant (Score:1)
I agree with you that replacing numbers for letters does nothing to make the password any more secure if it is based off a dictionary word. ie, turning password into p@ssw0rd doesn't really help that much.
However, starting with the pass phrase "I like to pick very difficult passwords to crack", you get IlTpVdPtC which will never be in a dictionary. However, brute forcing this will take a lot longer if you say "1lTp7dP2C". Also, the key is to develope your own rules, but are easy to remember. For example, substituting numbers for entire words. "I am happy because I have a Full Life" "IaHbIhAfL" becomes "Ia3bIhA24L" because your personally defined system 3 equals happy because you have 3 kids and 24 is full because that's how many hours are in the day. It doesn't matter what your systems is as long as it is only stored in your head, it is easy to create passwords and to remember passwords with, and it makes the password especially difficult to a) guess b) crack with a dictionary c) brute force be trying every combination of letters, capital letters, and numbers.
Re:Password changing is ignorant (Score:2)
This is a very long password, that is easy to remember and almost impossible to brute force, because it is too long and contains 200 characters, so you can just eat shit stupid fuckhead administrator!
You could even change it a bit, and make it provokative:
My password is a very long password, that is easy to remember and almost impossible to brute force, because it is too long and contains 201 characters, so you can just eat shit stupid fuckhead bastard!
It's always fun to recite that password to anyone who asks
Okay, so it's not the easiest password to enter, but it's rather effective, and (I would almost bet) it is impossible to bruteforce it with a simple keygen
related : Lucent's secstore / factotum (Score:3, Informative)
here [bell-labs.com]
or
[pdf]
Re:related : Lucent's secstore / factotum oops (Score:2)
LDAP, of course. (Score:4, Informative)
mod parent to 5 (Score:2)
Re:LDAP, of course. (Score:1)
That's why I like Ask Slashdot over the "Ask Google" answers. You get people's experiences about what works and doesn't. You also get completely different solutions presented which might not have been so obvious during a Google search.
Of course
Re:LDAP, of course. (Score:1)
Retarded (Score:1, Funny)
I think tommorrow I might ask slashdot "how sambah wurks".
Ignore me. I am the most overworked person in IT today.
pam/nss_ldap from padl.com (Score:5, Informative)
Here's some links to Linux/AD integration from padl.com's doc section:
Active Directory and Linux [securityfocus.com]
Linux-AD Integration [ratisle.net]
Active Directory and nss_ldap [www.hut.fi]
Re:pam/nss_ldap from padl.com (Score:2)
SFU works the opposite way, I think; it'll rexec or something over to your unix boxen and change the passwords. Or, I think, there's a daemon you can run on the UNIX boxen that the NT box'll call up and use that to change the password; safer than rexec.
How are they accessing the unix/vms servers? (Score:2)
Synchronized passwords? (Score:1)
Obvious Solution (Score:1)
Yeah - it's stupid, but unless the system has some ongoing authentication checking, it'll allow it. Since you need to change all the passwords at once anyway, it's not like it's "extra work" on the whole.
Yeah - there's also a better solution, but if management wants to go this route, let 'em - and show them statistics on how weak the resulting passwords are (bonus points if the passwords were stronger before)
dictionary attacks (with minor mutations) should always fail on a password, unless you're username is luser.
...other options (Score:2)
It only seems logical that smart-cards or java-enabled i-buttons... or whatever could provide improved security when combined with a password. I'm no cryptography expert, but it seems like a password or password hash doesn't have much more than 25 bits of real security.
Is it just hardware that keeps this from taking off?
Is there any support for password/smart card authentication systems in Linux?