NI_PAM

Dynamic Configuration of Windows NT Login NI_PAM Development and configuration of login software in Windows NT is always a hard problem because some part of the software is embedded in Windows NT operating system. However, login software must be developed and configured easily because security technology is rapidly growing and changing. We attack this problem by having more modularity. Our project is called NI_PAM, referring to UNIX Pluggable Authentication Module (PAM).

1. Our Goal

Single-Sign-On

We want to login to many computing resources (e.g. local computer, Netware network, Kerberos tickets), we do not want to type a password more than once.

Easy Development

Network Providers (e.g. Netware, Kerberos, etc.) are developed rapidly. A new Network Provider requires modification in Windows NT login software. However, we do not want to re-write all software whenever Network Provider changes.

Easy Configuration

In addition to the frequent change of Network Providers, change and variety in administration policy (e.g. Kerberos 4 is a master Network Provider in CANE, while Netware is the one in Medical School.) requires frequent change in the configuration. We do not want to re-compile the software every time the policy is changed.

2. Our Way
Our basic policy is to divide the login software (GINA) to several independent modules, and control it with Configuration File. NI_PAM contains following modules:

NI_PAM: Central part to implement PAM in Windows NT. NI_PAM reads a configuration table to specify its behavior.
NI_GINA: GINA works with NI_PAM. NI_GINA replaces Microsoft GINA.
NP specific modules: A module to support specific network providers. Kerberos 4, Kerberos 5, Netware, and Smart Card (CyberFlex JavaCard) authentication module are the examples of Network Providers we support.

All modules are implemented as independent DLLs. Since each module is developed independently from each other, development cost of Windows NT logon application is greatly reduced.

3. Future Direction
We are investigating a way to use different passwords in different network providers, yet single-sign-on property is reserved. We would implement it with password mapping. i.e. one master Network Provider (probably Kerberos) has all other NPs' passwords or keys.

Demo SmartCard NI_PAM

Send mail to Naomaru Itoi