Password Synchronization in Windows Services for UNIX

Abstract

Password Synchronization in Microsoft® Windows® Services for UNIX provides features to synchronize user passwords between Windows and UNIX. This white paper describes the Password Synchronization feature included as part of Services for UNIX version 3.0.

On This Page

Introduction
Password Synchronization Scheme
Windows-to-UNIX Password Synchronization
UNIX-to-Windows Password Synchronization
For More Information

Introduction

Microsoft® Windows® Services for UNIX includes a Password Synchronization component to address the problem of keeping Windows and UNIX passwords in synchronization. This component provides password synchronization in both directions i.e. from Windows-to-UNIX as well as from UNIX-to-Windows.

A typical enterprise computer network consists of heterogeneous systems including both Windows- and UNIX-based computers. These systems are managed separately and are governed by different access policies. Many users have to access both systems for a variety of reasons. However, Windows and UNIX-based computers use different mechanisms for authenticating users. Consequently, users need to maintain different user accounts and different passwords on these systems.

Maintaining two passwords on two different systems is a hassle for users. It maintains an artificial barrier between two kinds of systems that are part of the same network. With different password update schedules, users may forget one or more of passwords. This will subsequently require administrative intervention to reset them. All of this translates into a loss of productivity.

Keeping two different passwords also burdens administrators. Whenever a user password needs to be reset, administrators have to change one password or the other or change them using two different mechanisms. Many enterprises have different system administrators for Windows and UNIX, a separation that may require users to contact a different system administrator depending on the issue.

Services for UNIX addresses this problem with Password Synchronization, which simplifies management of network passwords. It makes it easy for users of both Windows- and UNIX-based systems by allowing them to use the same password on both systems.

Password Synchronization Goals

• Windows and UNIX system passwords are synchronized. A user needs to remember a single system password in a network consisting of UNIX, Windows NT®-, and Windows 2000-based computers.

• Administration of password changes is simplified for system administrators. All passwords may be administered from one machine. System administrators have control over users and systems for which such synchronization takes place.

• Password synchronization mechanism is secure.

Password synchronization is optional and administrator can select set of users to participate in password synchronization.

Note: Password synchronization does not:

• Provide single signon between UNIX and Windows. Users still need to logon into respective systems to access them.

• Mandate or provide a common authentication scheme between two systems.

• Synchronize application passwords. This does not try to keep the same password across applications or databases on Windows or UNIX.

Password Synchronization Features

• Synchronizes domain passwords for computers that are part of a Windows domain or for local passwords for standalone computers. It supports both Windows NT and Windows 2000.

• Allows synchronization for UNIX-based computers that are either stand-alone computers or those that are part of NIS.

• Sends passwords over the network using strong encryption allowing complete security. It uses private key encryption mechanism.

• Can be configured to synchronize passwords in either direction (from Windows-to-UNIX or from UNIX-to-Windows) or both.

• Lets administrators control the computers on which passwords are synchronized. They also control selection of users for whom password synchronization takes place. These lists can be configured using administrative tools or configuration files.

• Instantly synchronizes passwords and notifies other computers of changes as soon as passwords are changed. This is different from other mechanisms such as rdist where password propagation to other computers is batched.

Limitations

• Password synchronization applies to users with the same username on both UNIX and Windows. Password synchronization for users with different usernames on Windows and UNIX is not supported.

Password Synchronization Scheme

Password synchronization has two independent components:

1. Windows-to-UNIX password synchronization

2. UNIX-to-Windows password synchronization.

Windows-to-UNIX password synchronization is enabled by default when the product is installed. UNIX-to-Windows synchronization can be enabled using administrative tool. The administration tool can be accessed by launching the "Services for UNIX Administration" program from the Start menu (under the group Windows Services for UNIX). The direction of synchronization and other password sync settings can be seen when you click on the "Password Synchronization" item on the left pane in the administration tool.

When a user changes a password on a computer, the password synchronization client software captures the new password and sends a password change request with the new password to password synchronization server software running on other computers that take part in synchronization. Password synchronization uses TCP/IP sockets for communication and triple-DES for encrypting and decrypting passwords and related information sent from Windows to UNIX and vice-versa. Because this uses standard communication protocols no other software needs to be installed for this feature to work.

System administrators may elect to install Password Synchronization independent of other features in Services for UNIX. This feature does not depend on other features of Services for UNIX. Similarly other features do not depend on password synchronization. Note that Server for NIS is an upgrade path from this feature. Server for NIS not only provides password synchronization but also handles account management.

Windows-to-UNIX Password Synchronization

Services for UNIX password synchronization supports synchronization of password changes from Windows NT, Windows 2000 and Windows XP-based computers to UNIX computers. Windows-based computers may be part of a domain or may be stand-alone computers.

• Password Synchronization may be installed either on domain controllers or on local computers. This synchronizes passwords for either domain users or local users respectively.

• Password Synchronization from SFU version 3.0 can interoperate with the Password Synchronization feature in SFU version 2.0. This allows administrators to upgrade hosts participating in password synchronization in a phased manner.

What's new in Password Sync in version 3.0?

• In Services for UNIX version 3.0, password synchronization from Windows to UNIX always works by mean of the Pluggable Authentication Module (PAM) on the respective UNIX host. This ensures that the password being synchronized on the UNIX box also is in conformance with the password policy set by the administrator. Also, this ensures that the appropriate encryption method on that box (crypt, MD5, etc.) is used to store the encrypted password. Thus, password synchronization on UNIX works in conformance with the authentication policy and mechanism that is in effect on the UNIX host.

• Password sync in this version supports 16-character to 21-character encryption keys. This provides increased security for encrypted passwords transferred over the network.

• Support for much larger number of target hosts to sync passwords.

• Increased tolerance in case of password synchronization failures and ability for administrator to control the process. There is a configuration setting that allows the administrator to specify if password sync across a specified set of hosts should continue in case there's a failure in synchronizing to a specific host.

• Administrator now has better control over which directions to enable synchronization. This was restricted to a one way control in SFU 2.0.

Password Synchronization for domain users

In order to synchronize users' domain passwords with those of UNIX computers, the password synchronization component must be installed on all domain controllers (DCs) in that domain. In Windows NT 4, this consisted of a primary domain controller and all backup domain computers. For Windows 2000 and later versions, this consists of all peer domain controllers. This is necessary because when a Windows user changes the password, the user's password change may occur at any of the domain controllers depending on network configuration. Note that Password Synchronization must be configured in an identical manner on all domain controllers.

In order to setup Windows-to-UNIX password synchronization, a password change service daemon, ssod, must be installed on all UNIX computers on which the password must be synchronized. If a user's NIS password needs to be synchronized, ssod should be installed on the NIS master server. See Figure 1 below for a typical password synchronization setup. In order to setup password synchronization on UNIX, an administrator needs to configure the sso.conf file. Similarly, the Password Synchronization feature must be installed on Windows-based computers that participate in synchronization. Password Synchronization should be configured using the Services for UNIX administration console.

Figure 1: Windows Domain to UNIX Password Synchronization

The sequence of events is as follows:

1. User changes password on a Windows client that is part of a domain. User's password change request is sent to one of the domain controllers.

   • This password is propagated to other domain controllers in the domain through domain replication.

2. On the domain controller, the password synchronization component receives the password change notification. If the password is to be synchronized for that user, the password synchronization component encrypts the password and sends it to those UNIX computers participating in password synchronization.

3. A password synchronization service, ssod, running on UNIX computers, listens for such password change requests. It decrypts the change message and changes the user's password on the UNIX computer by using the Pluggable Authentication Module.

4. If the UNIX computer is an NIS server and if it is configured, it also changes the user's NIS password and does the make. Whenever NIS clients communicate with the NIS server for a password, they receive the new password.

Password Synchronization for local users

Password synchronization for local users works very similar to that for domain users. Instead of installing the password synchronization component on domain controllers, it should be installed on the computer from which the password is to be synchronized.

Password synchronization works exactly the same as in the above case, except that password changes on Windows-based computers for local users are synchronized with UNIX computers instead of domain users. It can be configured in exactly the same way as in the above case. UNIX computers see no difference in the two cases.

UNIX-to-Windows Password Synchronization

Password synchronization may be configured for UNIX-to-Windows password synchronization. This allows users to change passwords either on a Windows-based computer or a UNIX computer. This way, users do not have to change their usage patterns.

• Password synchronization on UNIX supports and uses PAM (Pluggable Authentication Modules).

• Password synchronization from UNIX to Windows supports synchronization with domain passwords or local passwords.

For UNIX-to-Windows password synchronization, administrators need to install the password synchronization pluggable module (typically called pam_sso.so) on all UNIX computers on which users may change their UNIX passwords¹. Similarly, Password Synchronization must be installed on all Windows-based computers on which the passwords must be synchronized. If the user's domain password must be synchronized to a UNIX password, Password Synchronization must be installed on all Windows domain controllers. On the other hand, if the user's local password must be synchronized to a UNIX password, Password Synchronization must be installed on that Windows-based computer.

Figure 2: UNIX to Windows Password Synchronization

The sequence of events is as follows:

1. User changes password from a UNIX computer. The Password Synchronization PAM module (pam_sso.so) running on the computer receives the password change when the user or administrator executes the passwd command to change password.

2. If the user's password needs to be synchronized to a Windows password, the Password Synchronization pluggable module encrypts the password and sends it to corresponding Windows-based computers.

3. The Password Synchronization service running on the Windows-based computer (either domain controllers or stand-alone computers) decrypts the password change requests and changes the user's password.

Supported Platforms

Password Synchronization is supported on the following UNIX platforms. This table lists the modules available in Services for UNIX version 3.0. It provides the availability of components that must be installed on UNIX, namely, Windows-to-UNIX synchronization module (ssod) and UNIX-to- Windows synchronization module (pam_sso.so).

In addition, Services for UNIX also makes the source to the UNIX components available and third parties may port the modules to other UNIX platforms.

For More Information

For the latest information on Windows 2000 Server, check out the following Web sites:

• Windows 2000 Web site

• Microsoft TechNet Web site

• Windows 2000/NT Forum.

For the latest information on Services for UNIX, see https://www.microsoft.com/windows2000/sfu/