Join GitHub today
GitHub is home to over 28 million developers working together to host and review code, manage projects, and build software together.Sign up
Universal Password Changer (UPwdChg) [GPLv3] http://cedric.dufour.name/software/up…
Fetching latest commit…
Cannot retrieve the latest commit at this time.
|Type||Name||Latest commit message||Commit time|
|Failed to load latest commit information.|
Universal Password Changer (UPwdChg) ==================================== Synopsis -------- The Universal Password Changer (UPwdChg) allows one to synchronize passwords between multiple and different user directory systems - LDAP, MIT Kerberos, Microsoft Active Directory, etc. - with an emphasis on flexibility, customiz- ability and untrusted frontends security. How it works ------------ The Universal Password Changer (UPwdChg) is split in two parts: - a frontend, running on any user-accessible (untrusted) host, which allows users to request password changes - a backend, running on a (trusted) management host, where password change requests are processed In order to deal with the lower security of the frontend host, public key cryptography is used: - on the frontend, password change requests are encrypted as password change tokens, using the public key of the processing backend - password change tokens are saved in a storage location shared between the frontend and the backend (e.g. NFS, CIFS, SSHFS, rsync, etc.) - on the backend, password change tokens are decrypted using the backend private key, and processed through customizable plugins Password change tokens are actually made of: - the password change data - request timestamp, username, old and new passwords, etc. - along corresponding their cryptographic digest, encrypted using a symetric cipher - the symetric cipher key and initialization vector (IV), encrypted with the backend public key - the encrypted payload signature, created with the frontend private key Once decrypted, password change tokens/requests are processed through various user-customizable plugins: - validation plugins, checking credentials validity, password policies compliance, etc. - actual password change plugins, performing the requested password change on multiple and different backends, such as LDAP, MIT Kerberos, Microsoft Active Directory, etc. - any other tasks that may be required as part of a password change operation Since its version 2, the Universal Password Changer also features password nonces - temporary passwords (PIN codes) sent to users via a separate channel - that may be used: - along the user old password to achieve two-factor password change - in place of the user old password to achieve (forgotten) password reset Features -------- The Universal Password Changer (UPwdChg) provides: 1. a PHP web frontend, allowing users to request password change via their web browser 2. a set of Python utilities to manage password change tokens/requests: - upwdchg-token: read/write password change tokens - upwdchg-process: process password change tokens - upwdchg-daemon: watch a given directory for new password change tokens and automatically process them 3. a set of password change token processing plugins: * debug - ShowTokenInfo: display token details * nonce - SendPasswordNonceLdap: send password nonce (PIN code) via e-mail - NukePasswordNonce: invalidate password nonce (PIN code) * validation - CheckTimestamp: check token creation date/time - CheckExpiration: check token expiration date/time - CheckPasswordNonce: check password nonce (PIN code) - CheckUsernamePolicy: check username policy (length, characters) - CheckPasswordPolicy: check password policy (length, complexity) - CheckCredentialsLdap: check credentials on LDAP server - CheckPasswordChange: check old and new passwords are different * password change - ChangePasswordLdap: perform password change on LDAP server - ChangePasswordKrb5: perform password change on MIT Kerberos 5 server - ChangePasswordAd: perform password change on Microsoft Active Directory server - ChangePasswordMysql: perform password change on MySQL server * account creation (synchronization) - CreateAccountKrb5: create MIT Kerberos 5 principal (or update its password if already existing) - CreateAccountAd: create Active Directory user account (or update its password if already existing) * groups synchronization - SynchGroupsLdap: synchronize groups between LDAP servers - SynchGroupsMemberLdap: synchronize groups (user) membership between LDAP servers