Dynamic Configuration of
Windows NT Login
Development and configuration of login software in Windows NT is always
a hard problem because some part of the software is embedded in Windows
NT operating system. However, login software must be developed and
configured easily because security technology is rapidly growing and changing.
We attack this problem by having more modularity. Our project is
called NI_PAM, referring to UNIX Pluggable Authentication Module (PAM).
1. Our Goal
2. Our Way
We want to login to many computing resources (e.g. local computer,
Netware network, Kerberos tickets), we do not want to type a password more
Network Providers (e.g. Netware, Kerberos, etc.) are developed rapidly.
A new Network Provider requires modification in Windows NT login software.
However, we do not want to re-write all software whenever Network Provider
In addition to the frequent change of Network Providers, change
and variety in administration policy (e.g. Kerberos 4 is a master Network
Provider in CANE, while Netware is the one in Medical School.) requires
frequent change in the configuration. We do not want to re-compile
the software every time the policy is changed.
Our basic policy is to divide the login software (GINA) to several
independent modules, and control it with Configuration File. NI_PAM
contains following modules:
NI_PAM: Central part to implement PAM in Windows NT.
NI_PAM reads a configuration table to specify its behavior.
NI_GINA: GINA works with NI_PAM. NI_GINA replaces
NP specific modules: A module to support specific
network providers. Kerberos 4, Kerberos 5, Netware, and Smart
Card (CyberFlex JavaCard) authentication module are the examples of
Network Providers we support.
All modules are implemented as independent DLLs. Since each
module is developed independently from each other, development cost of
Windows NT logon application is greatly reduced.
3. Future Direction
We are investigating a way to use different passwords in different
network providers, yet single-sign-on property is reserved. We would
implement it with password mapping. i.e. one master Network Provider
(probably Kerberos) has all other NPs' passwords or keys.
Send mail to Naomaru Itoi