Password encryption

Applies To: Windows Server 2003 R2

Password encryption

A Windows-based computer can send and receive updated passwords to and from a UNIX-based computer as encrypted text only. The Password Synchronization single sign-on daemon (SSOD) receives the encrypted password and decrypts it before requesting the password change on the UNIX host. Similarly, if Password Synchronization is configured to support UNIX-to-Windows synchronization, the pluggable authentication module (PAM) encrypts the password before sending it to Password Synchronization on the Windows-based computer, which then decrypts the password before requesting the password change on the Windows-based computer.

The password can be successfully decrypted only if Password Synchronization and the SSOD or PAM module use the same encryption key to encrypt and decrypt the password. Before installing the SSOD on any UNIX computer, you must first set the default encryption key. You must then specify the same key in the sso.conf file when you install the SSOD on each UNIX host. This will ensure that Password Synchronization and the SSOD on the UNIX hosts will use the same encryption key. For more information about setting the default encryption key, see Set the default encryption key. For information about installing and configuring the SSOD, see Install the Password Synchronization daemon.

For added security, you can specify an encryption key that is used only between a particular Windows-based computer and a UNIX host. For information about configuring Password Synchronization to use a computer-specific encryption key, see Set computer-specific synchronization properties. For information about setting the computer-specific encryption key on the UNIX computer, see Install the Password Synchronization daemon.