Universal Password Changer (UPwdChg)
Synchronize passwords between LDAP, Kerberos, Active Directory, etc.
Author: Cédric Dufour <http://cedric.dufour.name>
The Universal Password Changer (UPwdChg) allows one to synchronize passwords between multiple and different user directory systems - LDAP, MIT Kerberos, Microsoft Active Directory, etc. - with an emphasis on flexibility, customizability and untrusted frontends security.
How it works
The Universal Password Changer (UPwdChg) is split in two parts:
- a frontend, running on any user-accessible (untrusted) host, which allows users to request password changes
- a backend, running on a (trusted) management host, where password change requests are processed
In order to deal with the lower security of the frontend host, public key cryptography is used:
- on the frontend, password change requests are encrypted as password change tokens, using the RSA public key of the processing backend
- password change tokens are saved in a storage location shared between the frontend and the backend (e.g. NFS, CIFS, SSHFS, rsync, etc.)
- on the backend, password change tokens are decrypted using the backend RSA private key, and processed through customizable plugins
Password change tokens are actually made of:
- the password change data - request timestamp, username, old and new passwords - along corresponding SHA-256 digest, encrypted using AES-256-CBC symetric cipher and base64 encoded
- the symetric cipher key and initialization vector (IV), encrypted with the supplied RSA public key and base64-encoded
Once decrypted, password change tokens/requests are processed through various user-customizable plugins:
- validation plugins, checking credentials validity, password policies compliance, etc.
- actual password change plugins, performing the requested password change on multiple and different backends, such as LDAP, MIT Kerberos, Microsoft Active Directory, etc.
- any other tasks that may be required as part of a password change operation