Microsoft Windows now supports.. PAM!

by Dustin Puryear

If you are at all familiar with the UNIX or Linux world, you will know about the Pluggable Authentication Module (PAM) functionality. Essentially, PAM is a highly extensible login framework for authenticating and authorizing a user for access to a server. Prior to PAM, most logins worked directly against the local /etc/passwd database, but with PAM, users are authenticated against the PAM library, which in turns relies on a series of “modules” (surprise!) that return a Yes/No response. On many UNIX and Linux boxes, PAM still relies on /etc/passwd, but it doesn’t have to—and often doesn’t. For example, LDAP is quite often supported for authentication, and this is done by simply adding the right LDAP module to your PAM configuration.

Yawn.

Well, it is all very cool of actually, but it is old news in the UNIX world.

Now, Windows has supported this, kind of, a little bit, with GINA and GINA chaining and what-have-you, but it is really JUST NOT DONE. In addition, the GINA chaining concept is rarely if ever used. (I have heard because of reliability issues.)

However, Vista now supports a new model known as Credential Provider, which is deceptively like... PAM! Well, cool. (And they say Microsoft doesn’t learn!)

Anyway, I suggest you take a look at this as it’s all very nifty stuff:

Windows Vista Sample Credential Providers Overview

Credential Provider Samples

New Authentication Functionality in Windows Vista


9 Comments

Jake
2008-05-08 14:40:20
This is one of the most stupid and misinformed blog posts I've ever read on O'Reilly. Congratulations on making me seriously consider unsubscribing.
ZiggyFish
2008-05-08 17:29:12
Jake, What makes you say that.
Dustin Puryear
2008-05-08 17:46:09
Ha, yes, I'm curious myself.. Either he doesn't think PAM does what PAM does or that Credential Provider does what Credential Provider does. ;)
Fred Arnold
2008-05-09 10:38:40
I'd like to know why anyone should care, given Microsoft's long, unbroken record of 100% security incompetence. The 'Credential Provider Samples' doesn't let you download the samples on anything but "genuine Microsoft Windows," and it runs some kind of check first. Too bad if you want to download it on a PC that's safe to connect the Internet- you don't get that option.
Jake
2008-05-09 12:55:37
The (old) Windows equivalent to PAM is GINA. I believe GINA ( I first heard about the GINA in approximately 93... early 94) even predates PAM (1995). Same rough functionality. It's also not particularly hard to develop a custom GINA, if you so choose.


The GINA is widely used heavily by third parties for stuff such as NIS auth, Sun LDAP auth, Novell, smartcard readers, biometrics, etc, etc, etc. These are used in huge enterprises, they work well.


PAM is neat, but has been less than squeaky clean in the past with quality and security issues.


But anyway, continue on with the blind MS-hating, it's entertaining.

Dustin Puryear
2008-05-11 19:39:44
Jake- I agree that some modules of PAM have had issues, but overall PAM is certainly a very strong foundation and I see it having a role in even Microsoft rethinking how to authenticate. And it doesn't hurt that PAM is significant: It's how authentication is done in general on Solaris, Linux, and, to some extent, FreeBSD.


I think Microsoft is making a good move in turning toward a more PAM-like credential service with Credential Provider.

Jake
2008-05-12 10:09:53
Dustin,


Yes, PAM is a good thing. My original point though, was that Windows had this functionality at least as long as PAM has been around. And frankly, a desktop/server OS that doesn't have such functionality in this day and age should best be taken out back and shot.


I still occasionally see Novell login screens, which were GINA modules. I didn't even know Novell still existed.

Dustin Puryear
2008-05-12 11:00:02
Jake- I disagree that Windows has had PAM functionality.


PAM allows you to layer your authn/authz needs for logins. Doing work with GINA is more like replacing a single PAM module with another one. Not laying the modules as you do with PAM.


GINA chaining *IN THEORY* in akin to PAM, but nobody does it and it's not exactly something that was trusted.


So, I suppose you could say that "GINA chaining" means Windows supported the functionality, but the reality is that Credential Provider is the first real move to be PAM-like.


Simply plugging in your Novell or NIS GINA is not the same. :)

Jake
2008-05-12 14:08:47
Dustin,


Hrm yeah, you are correct in that respect. But in the average enterprise, how important is chaining, really? It seems like a pretty minor feature.


Even with PAM, my authentication stores are limited to local /etc/passwd and winbind. I'm sure there are some folks that want to tie into a variety of auth stores, but one would hope these are pretty uncommon cases.


If I had to do chaining, I'd probably prefer to use the OSS project pGINA.