P-Synch: Making Network Life Easier
One of the more troublesome tasks for network users is ensuring passwords are changed on all the machines they work on. In the UNIX environment (and as a client on some Windows systems), there is the Network Information Service, which maintains a master password file on a UNIX server and validates logons anywhere on the network against that master file. For Windows NT-based networks, though, users must go through the process of physically changing their passwords on every machine they log into or use. Since a user wants all their passwords to be the same for maximum flexibility, most don’t bother going through this routine and either maintain several different logons, or don’t bother with passwords at all. Neither alternative is good.
A novel solution has been developed by Mercury Information Technology, M-Tech, in the guise of a password synchronization program called P-Synch. P-Synch lets users change passwords on all machines on the network from a single client application or Web browser interface on their machine. Unlike NIS, P-Synch doesn’t maintain a master password file anywhere, but physically changes login information on each machine on the network and on applications that require logins, too. Based on a Windows NT or Windows 95 machine, P-Synch can handle practically any operating system through clients. For example, P-Synch can change the UNIX /etc/passwd file (or a shadow file maintained by NIS). Indeed, P-Synch coexists quite peacefully with NIS.
Even better than simply changing passwords for you, P-Synch lets an administrator control access to network machine so users can only change passwords on devices they have permission for. Go one step further and allow the administrator to control the types of passwords and the strength of each password chosen, and P-Synch begins to look like a tool every network should employ. Add a trivial end-user training curve, a Web browser interface, and an almost ridiculously low license fee, and, well, you just have to check out P-Synch.
You can’t buy P-Synch in a box. M-Tech distributes demo versions and full releases through their Web page, which is also the only way to get documentation. You have to fill in a short agreement to get a demonstration version of the software prepared for you. The demo version limits the number of devices and applications P-Synch tracks to ten, and the number of authorized users to five. You are free to use that version to assess P-Synch, but since there are few networks that are only five users in size, you’ll have to purchase a license to get the full version. Licenses are on a per-user basis, usually at $10 per user. Site licenses are negotiable. You will want a fast link to the Web to get the demonstration package from M-Tech. The P-Synch ZIP file is almost 10MB big. An e-mailed password protects the ZIP file from use.
The 160-page Installation and Administration Guide and a White Paper are also available from the M-Tech Web site. The documents are supplied in both PCL and PS formats (luckily, they’re zipped as the files are 34 and 9MB respectively). You will also need an on-line viewer like GhostView or RoPS if you want to read the PostScript file on the screen. The documentation is thorough and reads well despite a few editing problems. The use of a different font would have helped the readability, but that’s a minor quibble. Most of the Guide is taken up with details of integrating P-Synch will different applications and operating systems, so only relevant parts need be read.
While P-Synch changes passwords natively on every system and application it works with, it does maintain a central configuration file which provides not only setup information for P-Synch but also user and device information. One machine on the network is therefore be designated for P-Synch administration, although it does not impact that machine’s performance noticeably. On our test network, our Windows NT Server performed as well before P-Synch was installed as after even when we had everyone change passwords in a short timespan. This low-load nature allows full-time use of the host server by the network administrator.
Installing the P-Synch package is simple. After unzipping the distribution file, a binary launches the start program. There is a separate install routines for Windows NT, Windows 95, and Windows 3.X. The installation procedure steps you through the identification of your hosts, users, and password requirements. If you are setting up P-Synch to use UNIX or NetWare machines, a client package is copied to those machines and an install script executed. The entire setup process for the demo version takes about ten minutes.
After the installation is complete, most of the administration of P-Synch is through an ASCII editor. The configuration file contains a list of all the users who can use P-Synch as well as every host on the system. No passwords are placed in the file. (To prevent tampering, the P-Synch server directory should be protected from write access, and perhaps even read, depending on the situation.) A matrix of which users maintain accounts on which systems, and any password rules to be enforced complete the configuration file. The syntax for the configuration file entries is given in the documentation, but care must be taken to ensure entries meet the syntax rules. A verification utility would be a nice touch. A full-screen Window interface to the configuration file would be much better and it’s curious that M-Tech didn’t develop one.
The list of supported platforms is long, and includes all Windows and DOS versions, NetWare 3.X and 4.X server and clients, UNIX (any version that maintains an /etc/hosts file, uses NIS, or password shadowing), Kerberos-managed systems, and any system that can be reached through Telnet. Applications that P-Synch supports automated password changes for include Oracle, Sybase, SQL*Server, Microsoft Mail, Lotus Notes and, Lotus cc:Mail. On top of that, P-Synch provides a scripting agent that can automate password changes for any application that allows users to log in and interactively change passwords, too. Just in case you’ve got a platform or application that none of the above handles, M-Tech can customize a client for you for “a nominal fee”.
P-Synch allows you to enforce strong password rules. Usually, a strong password is one that follows certain traits: it cannot be a derivative of the user’s login or name, cannot be a straight dictionary word (in all languages, theoretically), should be long, should be composed of a combination of letters and numbers or punctuation marks, and should mix upper and lower case letters where the operating system allow it. This type of password has been shown to be far more difficult to hack into illegally, which is why most companies enforce very strong password rules. One last aspect for strong passwords that some systems can enforce is password aging. Passwords should be changed frequently (ideally, every 60 to 90 days), and old passwords shouldn’t be reused. Setting these rules during P-Synch’s setup is simple, but modifying them later requires the old ASCII editor and some keyword in the configuration file.
The P-Synch user interface is a good example of a simple interface with some strong background preprocessing taking place. When invoked by a user either directly application or through a browser interface, P-Synch follows a specific sequence of steps. A check of the P-Synch configuration files reveals which systems a user can change passwords for, and the interface displays that list and allows the user to select some or all of the systems to effect the change on. After prompting for old and new passwords, P-Synch checks the strength of the new password according to rules the configuration file established, then ensures that each client machine or application the password is to be changed on has the same old password. If all is well to that point, the agent changes the password over the network transparently.
One neat feature of the password change process which is lacking in every other network-wide password tool is the ability to restart in case of an interruption. The cause of the interruption doesn’t matter: the P-Synch server may have crashed, the user logged off, or a network problem may have occurred. P-Synch maintains a log of the events and allows the user to restart at the same place, or begin the process from start. We tested this several times by terminating the client or server processes at different points, and in two cases by killing the power to the client and the server in turn. Each time P-Synch restarted perfectly and allowed the password change process to proceed from the interrupt point.
We tested P-Synch on our in-house TCP/IP network, although we were limited to ten devices and five users. We chose a mix of devices, including Windows 95, Windows NT servers, three UNIX versions, and two applications (SQL*Server and Lotus Notes) to put P-Synch through its paces. To get P-Synch to work properly with each platform requires a bit of work by the administrator. Windows 95 platforms need their policies modifying a bit, but step-by-step instructions are provided to make this easy. (It is possible for a user to circumvent P-Synch entirely by removing the references to the utility, although since P-Synch is for the user’s benefit, it would not make too much sense to remove it). UNIX machines need an agent installing to feed changes to the password utility, but this takes only a minute and worked on the SCO UNIX, Sun Solaris 2.4, and HP-UX 10.2 platforms we tested. The most troublesome part of the test period was modifying the P-Synch configuration file, as we managed to botch a couple of entries while experimenting. As mentioned earlier, a validation routine or graphical interface would be a good idea. Since the demo version we used only allowed a few devices and users to be added, we can imagine that a several-hundred (or thousand) network device file would become unwieldy very quickly.
We did like the idea of a programmable agent. While we didn’t try it in depth, the ability to write a simple script that steps through a password change process for a new platform or agent is attractive. We manually wrote a password agent for our Linux machine and a database application sitting on it (although Linux is supported as part of the general UNIX agent) and they worked flawlessly. During the two-week testing period, we changed passwords hundreds of times and modified many aspects of the configuration, and P-Synch didn’t burp once.
One little bonus you get with P-Synch is a HelpDesk utility. This gives an administrator a simple method of tracking authorized users and issues. It allows an administrator to override a user’s password on any system on the network, which is handy when users forget their passwords. It also allows master lists of all users and all devices on the network.
We were pleasantly surprised by the overall effectiveness of P-Synch. While the idea of agents making password changes on many platforms is simple, in retrospect, we haven’t seen anything else that does it like P-Synch. A few rough edges (administration, the manual, and distribution process) exist, but they are quibbles compared to the advantages this application bestows. M-Tech is to be congratulated on a fine program, and one that all Windows NT network managers should look at carefully.
P-Synch Password Synchronization
License $10 per user per year (including support and upgrades)
M-Tech Mercury Information Technology, Inc.
#750 910 7th Ave. S.W.
Fax: (403) 233-0725