Re: pam on windows

Hello,

thank you for your answer. It made thinks clearer to me.

I read more about the topic and found out that i would need to implement
a CredentialProvider and an AuthenticationPackage to support a new logon
device.

But there are some things i dont quite understand.
Im talking only about local system logons here.
As far as i know the custom AuthenticationPackage needs to call the
MSV1_0 package to perfom an intial logon.
This initial logon is created by passing the username and password of
the user to MSV1_0 which then checks the password against the one stored
in the SAM database. (Is this right?)
The custom AuthenticationPackage could then do some extra checking, for
example it checks if a fingerprint is registered with the system, and
then return a successful logon session or delete it.

But this method still relies on a normal password. So the user would
either have to enter a password and give some extra information like a
fingerprint or the user would only have to give his fingerprint and then
then custom AuthenticationPackage would have to retreive the users
password out of some own fingerprint->password database and supply the
password to MSV1_0. Is this right?

Do you know how actual fingerprint logon system do this? Do they store
the users password into some own database?
If this is the case, then would it be insecure if i stored my password
encrypted with my openpgp key on the system? I then would retreive it by
decrypting it with my smartcard and then do a normal logon.


Regards,
Gordian



lelteto schrieb:
Here is the issue with simple yes/no - and why it cannot work on Windows:

On Windows some crypto information (eg. the user's private keys in crypto
containers; encryption keys to EFS-protected/encrypted folders) are protected
with the user's password. (Protected means the necessary crypto keys to
decode these are DERIVED from the user password.) So if you don't provide the
user password, these will not be available - and portions of Windows could
not work.

Also think about security implications:
The current method is secure, because if you don't know the user's password,
there is NO WAY to get access to these user data. (Not even if you boot from
another system where you have admin rights. And IF you simply reset the user
password - which is certainly possible with admin rights - these crypto data
will be lost forever.) Now if you would just need a yes/no response than a
cracker could find the code where the decision is made and forcing to go to
the "OK" code path could impersonate the user and could get access to
everything the user has (eg. signing keys). That would be a fatal security
weakness. (Yes, IF you use pam on Linux, that IS a fatal security weakness
if somebody can boot from another OS. But there you don't have the automatic
use of password to get access to your crypto stuff - those are protected with
password which can be different from the login password.)

So in order Windows to work correctly (and that includes access to the
user's crypto stuff) you DO need the user's password. That's just how Windows
security is architected. (And that security architecture is pretty good /
solid.)

Laszlo Elteto
SafeNet, Inc.

"Gordian Klein" wrote:

Hello,

is there something in Windows Vista that is similar to pam modules on linux?
Im thinking of something where i return a simple true/false to windows
and then the user gets logged on or not.
I looked at the Credential Providers, but i did not see how i can do it
with them. It seems to me that they only pass the gathered logon
information deeper into the windows system where then is decided whether
the user gets logged on or not.

The reason im asking this is because i want to be able to logon to
Windows using my OpenPGP Card with some kind of challenge response method.
I found an example credential Provider called 'hybrid credential
provider' that stores the users pasword on a smartcard and then logs on
to windows using the normal username/password method. But i dont want to
store a Windows password on my smartcard.

Thank you for any help.
Regards
Gordian

.

Relevant Pages

  • Re: LogonPrompt Under WindowsNT Registry
    ... >> I am trying to use the entry Logon Prompt entry under ... > The [Register Registry Values] section lists several values as a grouping ... > Load the Administrative Tools | Group (or Local Security) Policy snap-in ... Welcome to Windows! ...
    (microsoft.public.win2000.security)
  • Re: Windows XP Welcome Screen and NT Server 4.0 Security
    ... In Windows XP in a domain the computer by ... Also it can help if the user logon name is something really easy to remember ... workgroup as it can do a LOT to lockdown users. ... an NT server for DHCP, Printer Services, and User-Level Security. ...
    (microsoft.public.windowsxp.security_admin)
  • Re: Creating Disclaimer pop up box on log on
    ... Interactive logon: Message title for users attempting to log on ... However, Windows 2000 clients cannot ... inadvertently create a logon message policy using a Windows XP Professional ... Double-click Local Security Policy. ...
    (microsoft.public.windowsxp.customize)
  • Auditing Logon Events
    ... controller level, we receive security events when any user that has a ... Windows 98 computer mistypes their logon or password id. ... computer the following event is recorded in the Domain Controllers security ...
    (microsoft.public.win2000.general)
  • RE: pam on windows
    ... Here is the issue with simple yes/no - and why it cannot work on Windows: ... On Windows some crypto information (eg. the user's private keys in crypto ... Also think about security implications: ...
    (microsoft.public.platformsdk.security)