PAM-like Authentication for Windows Clients

  Nathan Yocom

Most derivatives of UNIX come with support for Pluggable Authentication Modules (PAM). UNIX boxes can authenticate users in a multitude of ways with PAM. However, if you put a machine running Microsoft Windows NT/2K/XP into the same authentication framework, you will encounter problems. The solutions currently available range from emulation of a domain controller with Samba, to various scripts and back-ends that replicate account information between heterogeneous hosts.

In the Computer Science department where I work, students receive and use accounts on our Solaris server, but many students also need access to machines with Microsoft Windows. To allow this, and still utilize our Solaris server as an authentication and storage point, I have worked with a colleague to create the GPL’d pGina (http://pgina.cs.plu.edu). Through the use of this replacement GINA for Windows and community-developed plugins for authentication, this tool, in some situations, can replace a Microsoft Windows Domain with other standard authentication methods. Figure 1 shows the ideal single-point authentication framework I was looking for, while Figure 2 shows what I would have had to do using currently available and mostly non-GPL methods.

What Is a GINA?

GINA stands for “Graphical Identification aNd Authentication”, and is an extension loaded by the Winlogon.exe process, which is responsible for presenting the login dialog box, and handling SAS (typically CTRL+ALT+DEL) sequences. By using the freely available Windows Platform SDK, it is possible to write a replacement GINA library that functions however you like. pGina is exactly that — a custom GINA interface that loads plugins that conform to an open standard to provide for modular authentication and identification (thus, pluggable Graphical Identification aNd Authentication, or pGina).