Pluggable Authentication Modules for Windows NT

To meet the challenge of integrating new methods and technologies into the Internet security framework, it is useful to hide low-level authentication mechanisms from application programmers, system administrators, and users, replacing them with abstractions at a higher level. The Pluggable Authentication Method approach popular in Linux, Solaris, and CDE offers one such abstraction. To implement PAM in NT, we replaced the standard Graphical Identification and Authentication module with one that processes PAM tables. This provides security administrators with a flexible tool to plan and implement authentication policy across a wide range of computing platforms. GINA is woven into the NT logon procedure, making it a difficult module to test and debug. Our PAMbased GINA eases this problem by allowing new authentication mechanisms to be replaced and tested without forcing a reboot.