Universal Password Changer (UPwdChg) [GPLv3]
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
LICENSE
backend
debian
devel - NEW: Unit tests Oct 15, 2018
frontend
tests
.gitignore
COPYRIGHT
CREDITS
INSTALL
MIGRATION.2to3
OVERVIEW.png
PROTOCOL
PROTOCOL.password-change
PROTOCOL.password-reset
PROTOCOL.two-factor-password-change
README
README.keys
ROADMAP
setup.cfg
setup.py

README

Universal Password Changer (UPwdChg)
====================================

Synopsis
--------

The Universal Password Changer (UPwdChg) allows one to synchronize passwords
between multiple and different user directory systems - LDAP, MIT Kerberos,
Microsoft Active Directory, etc. - with an emphasis on flexibility, customiz-
ability and untrusted frontends security.


How it works
------------

The Universal Password Changer (UPwdChg) is split in two parts:
 - a frontend, running on any user-accessible (untrusted) host, which allows
   users to request password changes
 - a backend, running on a (trusted) management host, where password change
   requests are processed

In order to deal with the lower security of the frontend host, public key
cryptography is used:
 - on the frontend, password change requests are encrypted as password
   change tokens, using the public key of the processing backend
 - password change tokens are saved in a storage location shared between
   the frontend and the backend (e.g. NFS, CIFS, SSHFS, rsync, etc.)
 - on the backend, password change tokens are decrypted using the backend
   private key, and processed through customizable plugins

Password change tokens are actually made of:
 - the password change data - request timestamp, username, old and new
   passwords, etc. - along corresponding their cryptographic digest, encrypted
   using a symetric cipher
 - the symetric cipher key and initialization vector (IV), encrypted with
   the backend public key
 - the encrypted payload signature, created with the frontend private key

Once decrypted, password change tokens/requests are processed through various
user-customizable plugins:
 - validation plugins, checking credentials validity, password policies
   compliance, etc.
 - actual password change plugins, performing the requested password change
   on multiple and different backends, such as LDAP, MIT Kerberos, Microsoft
   Active Directory, etc.
 - any other tasks that may be required as part of a password change operation

Since its version 2, the Universal Password Changer also features password nonces
- temporary passwords (PIN codes) sent to users via a separate channel - that may
be used:
 - along the user old password to achieve two-factor password change
 - in place of the user old password to achieve (forgotten) password reset


Features
--------

The Universal Password Changer (UPwdChg) provides:

1. a PHP web frontend, allowing users to request password change via their
   web browser

2. a set of Python utilities to manage password change tokens/requests:
    - upwdchg-token:    read/write password change tokens
    - upwdchg-process:  process password change tokens
    - upwdchg-daemon:   watch a given directory for new password change
                        tokens and automatically process them

3. a set of password change token processing plugins:

    * debug
      - ShowTokenInfo:         display token details

    * nonce
      - SendPasswordNonceLdap: send password nonce (PIN code) via e-mail
      - NukePasswordNonce:     invalidate password nonce (PIN code)

    * validation
      - CheckTimestamp:        check token creation date/time
      - CheckExpiration:       check token expiration date/time
      - CheckPasswordNonce:    check password nonce (PIN code)
      - CheckUsernamePolicy:   check username policy (length, characters)
      - CheckPasswordPolicy:   check password policy (length, complexity)
      - CheckCredentialsLdap:  check credentials on LDAP server
      - CheckPasswordChange:   check old and new passwords are different

    * password change
      - ChangePasswordLdap:    perform password change on LDAP server
      - ChangePasswordKrb5:    perform password change on MIT Kerberos 5 server
      - ChangePasswordAd:      perform password change on Microsoft Active
                               Directory server
      - ChangePasswordMysql:   perform password change on MySQL server

    * account creation (synchronization)
      - CreateAccountKrb5:     create MIT Kerberos 5 principal (or update its
                               password if already existing)
      - CreateAccountAd:       create Active Directory user account (or update
                               its password if already existing)

    * groups synchronization
      - SynchGroupsLdap:       synchronize groups between LDAP servers
      - SynchGroupsMemberLdap: synchronize groups (user) membership between
                               LDAP servers