PAM GINA - PowerPoint PPT Presentation

About This Presentation
Title:

PAM GINA

Description:

Transitions managed by GINA. GINA. Graphical Identification and Authentication ... Only one GINA in a workstation. Network providers often provide custom GINAs ... – PowerPoint PPT presentation

Number of Views:377
Avg rating:3.0/5.0
Slides: 19
Provided by: PETERHO3
Category:
Tags: gina | pam | gina

less

Transcript and Presenter's Notes

Title: PAM GINA


1
PAM GINA
  • Naomaru Itoi
  • Peter Honeyman
  • CITI

2
The Single Signon Problem
login ftp telnet klogin
Kerberos SK3 DCE passwd
Many different realms of authentication
authenticated services
authentication systems
3
The Problem (II)
login ftp telnet klogin
Kerberos SK3 DCE passwd
Many user tokens required
authenticated services
authentication systems
4
The Problem (III)
login ftp telnet klogin
Kerberos SK3 DCE passwd
Lots of coding required
authenticated services
authentication systems
5
Solution Pluggable Authentication Modules
PAM
login ftp telnet klogin
Kerberos SK3 DCE etc.
etc.
Kerberos
SK3
DCE
authenticated services
authentication systems
6
PAM Services Available
  • Authentication
  • Is password correct? Can I get my tokens?
  • Account Management
  • Am I allowed to use this service now?
  • Session Management
  • Accounting, home directory access
  • Password Management
  • Manage password changes

7
PAM - Configurable by Service
8
So What About NT?
?
9
NT Desktops
logged off (secure)
screen saver or lock
logged on
  • States managed by WINLOGON
  • Transitions managed by GINA

10
GINA
  • Graphical Identification and Authentication
  • Interacts with WINLOGON, manages desktop state
    transitions
  • Establishes state for network providers
  • NT SDK includes GINA source code
  • Allan Bjorklund GINA starting point

11
Problems with GINA
  • GINA is replaceable this is great.
  • Only one GINA in a workstation
  • Network providers often provide custom GINAs
  • Kerberos-GINA and Netware-GINA cannot be used
    together in the workstation
  • GINA is hard to develop
  • Workstation hangs if GINA has bugs, forcing
    reboot
  • Inconvenient to debug

12
NI_PAM Components
  • NI_GINA.dll
  • Called by WINLOGON. Calls ni_authenticate() in
    NI_PAM. If NI_PAM succeeds, the user logs on.
  • NI_PAM.dll
  • Reads configuration tables in registry, calls
    appropriate NP specific modules
  • NI_.dll
  • NP specific modules

13
NI_PAM Structure
Winlogon.exe
WlxLoggedOffSAS()
NI_GINA.dll
ni_authenticate()
NI_PAM.dll
Config.table
ni_sm_authenticate()
NI_KRB4.dll
NI_KRB5.dll
NI_NW.dll
NI_SK3.dll
Kerberos-4
Kerberos-5
Netware
SK3
14
Current Status
  • NI_GINA authentication
  • NI_PAM authentication, password
  • NI_KRB4, NI_NW
  • authentication, password
  • NI_KRB5 authentication

15
Results
  • Separation between NI_GINA and other DLLs aids
    development, debugging
  • Modification in NI_GINA is pretty small
  • Can test NI_PAM and NP modules without rebooting
    machine every time

16
Future Directions
  • Smartcard support
  • Password mapping
  • Static account / profile support
  • Error recovery in changing password

17
Other CITI Security Projects
  • Secure packet vault
  • Secure videoconferencing
  • Kerberos/JavaCard integration
  • Authenticated network connections

18
Any Questions?
http//www.citi.umich.edu/
Write a Comment
User Comments (0)
About PowerShow.com
Home About Us Terms and Conditions Privacy Policy Presentation Removal Request Contact Us
Copyright 2024 CrystalGraphics, Inc. — All rights Reserved. PowerShow.com is a trademark of CrystalGraphics, Inc.
The PowerPoint PPT presentation: "PAM GINA" is the property of its rightful owner.
Do you have PowerPoint slides to share? If so, share your PPT presentation slides online with PowerShow.com. It's FREE!