Universal Password Changer (UPwdChg) [GPLv3]
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Type Name Latest commit message Commit time
Failed to load latest commit information.
devel - NEW: Unit tests Oct 15, 2018


Universal Password Changer (UPwdChg)


The Universal Password Changer (UPwdChg) allows one to synchronize passwords
between multiple and different user directory systems - LDAP, MIT Kerberos,
Microsoft Active Directory, etc. - with an emphasis on flexibility, customiz-
ability and untrusted frontends security.

How it works

The Universal Password Changer (UPwdChg) is split in two parts:
 - a frontend, running on any user-accessible (untrusted) host, which allows
   users to request password changes
 - a backend, running on a (trusted) management host, where password change
   requests are processed

In order to deal with the lower security of the frontend host, public key
cryptography is used:
 - on the frontend, password change requests are encrypted as password
   change tokens, using the public key of the processing backend
 - password change tokens are saved in a storage location shared between
   the frontend and the backend (e.g. NFS, CIFS, SSHFS, rsync, etc.)
 - on the backend, password change tokens are decrypted using the backend
   private key, and processed through customizable plugins

Password change tokens are actually made of:
 - the password change data - request timestamp, username, old and new
   passwords, etc. - along corresponding their cryptographic digest, encrypted
   using a symetric cipher
 - the symetric cipher key and initialization vector (IV), encrypted with
   the backend public key
 - the encrypted payload signature, created with the frontend private key

Once decrypted, password change tokens/requests are processed through various
user-customizable plugins:
 - validation plugins, checking credentials validity, password policies
   compliance, etc.
 - actual password change plugins, performing the requested password change
   on multiple and different backends, such as LDAP, MIT Kerberos, Microsoft
   Active Directory, etc.
 - any other tasks that may be required as part of a password change operation

Since its version 2, the Universal Password Changer also features password nonces
- temporary passwords (PIN codes) sent to users via a separate channel - that may
be used:
 - along the user old password to achieve two-factor password change
 - in place of the user old password to achieve (forgotten) password reset


The Universal Password Changer (UPwdChg) provides:

1. a PHP web frontend, allowing users to request password change via their
   web browser

2. a set of Python utilities to manage password change tokens/requests:
    - upwdchg-token:    read/write password change tokens
    - upwdchg-process:  process password change tokens
    - upwdchg-daemon:   watch a given directory for new password change
                        tokens and automatically process them

3. a set of password change token processing plugins:

    * debug
      - ShowTokenInfo:         display token details

    * nonce
      - SendPasswordNonceLdap: send password nonce (PIN code) via e-mail
      - NukePasswordNonce:     invalidate password nonce (PIN code)

    * validation
      - CheckTimestamp:        check token creation date/time
      - CheckExpiration:       check token expiration date/time
      - CheckPasswordNonce:    check password nonce (PIN code)
      - CheckUsernamePolicy:   check username policy (length, characters)
      - CheckPasswordPolicy:   check password policy (length, complexity)
      - CheckCredentialsLdap:  check credentials on LDAP server
      - CheckPasswordChange:   check old and new passwords are different

    * password change
      - ChangePasswordLdap:    perform password change on LDAP server
      - ChangePasswordKrb5:    perform password change on MIT Kerberos 5 server
      - ChangePasswordAd:      perform password change on Microsoft Active
                               Directory server
      - ChangePasswordMysql:   perform password change on MySQL server

    * account creation (synchronization)
      - CreateAccountKrb5:     create MIT Kerberos 5 principal (or update its
                               password if already existing)
      - CreateAccountAd:       create Active Directory user account (or update
                               its password if already existing)

    * groups synchronization
      - SynchGroupsLdap:       synchronize groups between LDAP servers
      - SynchGroupsMemberLdap: synchronize groups (user) membership between
                               LDAP servers