possible solution for ms login under win9x

Should you have problems with the MS logon plugin, here's the place to look for help or report issues.

possible solution for ms login under win9x

Postby sgt-d » 2005-04-07 05:16

i'm not sure if this would work, but it would make life easier for many users out there that want to enforce a user/pass login per user instead of one password for anyone - especially for win9x users that are not part of a domain.

in win9x when you create a user account, it creates a .pwl file that stores the password for that user. if there was a new implementation of ms login for win9x it could verify the user name and then check that the password they typed matches the pass stored in the pwl file.

example:

user: sgt-d
password: test

the new ms login would look for sgt-d.pwl and verify that the password "test" matches. if so, they are authenticated at the user level.

even if this does work, the first argument would be that there is no way to control who has full access vs view only access. this will be caused by the fact that win9x doesn't support groups. a simple solution for this would be to have ms login read two files in the windows or system directories, or even in the ultravnc directory. one named vncadmin, the other vncuser (no extensions). you could then enter user names like sgt-d (one user per line, the full name without the .pwl extension) in the files.

these files would be normal text files that could be edited by anyone, but most people won't know how to open them if they don't have an extension.

sure, it's not 100% secure. not by any means. but ANY implementation (even one as insecure as this) is far better than the default "single password without a user name" model for full unrestricted access to the system.

in the event that a user is accidentally put in both groups, the more restrictive group would take precedence and allow them view only capabilities. this seems to be the standard with most permissions anyway.

if a user is not specifically added to one of the two files mentioned, group authentication will fail and they will have no access.

anyway, i am only mentioning this because the .pwl files already exist... and because nobody using win9x can use ms login at all unless there is a domain controller (nt/2k/2k3) running locally on their network. home users would probably never have a domain controller already setup. i have a win98se box that i can't setup here at home simply for this same reason.

if this is even possible it would give win9x users the choice of using strict nt user/group authentication via ms login i, or a less stict local model based on their already created pwl file.

if this goes through, the ms login option names might have to change a little so everyone knows what they are used for.

example:

ms login for nt domains
ms login for 2000/xp user/groups
ms login for win9x only (if all else fails)

i dunno, it's a failover level of crappy/sloppy authentication - but it still beats the "single password" approach.

thoughts?
Last edited by sgt-d on 2005-04-07 05:27, edited 3 times in total.
sgt-d
40
40
 
Posts: 81
Joined: 2005-03-29 04:46

Postby Marscha » 2005-04-07 06:46

Hmm,

why should we add functionality to Win9x when Microsoft was not able/willing/??? to implement this.

I first focused on NT, W2K and XP boxes with MS-Logon II.
Next logical step would be to integrate MS-Logon I and II.
This will definitely not happen before a stable v1.0.

The scenario I have in mind are networks with several hundred or thousand machines.
Here you definitely/desperately need a scalable solution for authentication/authorization.

What is the benefit for a home user with one (or two or five) machines?
- It's not easier to configure and maintain
- It's not easier to authenticate
- It's not more secure to authenticate

I hope this does not sound too pessimistic or negative.
I just don't see any real requirements.
Marscha
Former moderator
Former moderator
 
Posts: 471
Joined: 2004-05-14 06:48

Postby sgt-d » 2005-04-07 14:26

i understand your points perfectly.

my suggestion isn't an attempt to do what you are already doing... which is a scalable solution for domains. mine is simply a suggestion for "everyone else" that is still using win9x without a domain.

all i am trying to do is provide a method to allow full/view/deny access for users in win9x based on two parameters (user and pass), without the need for a domain, and instead of "one password / one access level" for everyone.

right now without being able to auth to a domain, a win9x box can be accessed with just a password, and the server can either be set to full access or view only.

the method i mentioned was just a suggestion, but it could still be made even simpler.

for example, instead of trying to read in valid user accounts and then actually checking their password against their .pwl password file, most people would probably agree that a simple windows ini file format would suffice:

;full access
[admins]
sgt-d=test
marscha=mypass

;view only
[users]
goofy=lol

and anyone not listed is denied access.

i am fully aware that this isn't "secure" locally and anyone can simply edit the file. i'm not worried about that at all. the only goal behind this "quick and dirty" authentication would be slightly better security for anyone outside attempting to connect to the server - they would need a username and password, and they would be granted different access levels based on that information.

the simplest implementation would suffice.
Last edited by sgt-d on 2005-04-07 21:25, edited 1 time in total.
sgt-d
40
40
 
Posts: 81
Joined: 2005-03-29 04:46

Postby Marscha » 2005-04-08 06:17

Okay,

I can see your point (full access vs. view only).

What usage scenarios do you have in mind for this?
I would think that supporting someone normally requires full access.
Are there any other use cases than support?

NB: Your proposed method is not only locally insecure.
If you have enabled network shares someone could do "net use" to access your local drive and change the file.
Marscha
Former moderator
Former moderator
 
Posts: 471
Joined: 2004-05-14 06:48

Postby sgt-d » 2005-04-08 06:34

the only example i can think of right now is that i have a few friends that use vnc and occasionally i want to show them something without having to email images to them... so i have a few of them jump on my win98 box all at the same time - but i just want them to see what i'm talking about, not take control. then when i get to work and login to the same box, i need full control. that's only one example off the top of my head.

i don't know... this idea would be nice even for people who are having problems in other os's where normally ms login / ms login ii should work. like right now, for some reason my computer at work suddednly decided not to let me auth with any of my accounts using ms login ii. i've tried new user accounts, new groups, and testauth says that the user/pass combinations are good, but ms login ii attempts fail with "vnc authentication failed" errors. i will probably have to uninstall/reinstall it, but until then as a temporary measure i have no choice but to disable ms login ii and use the old "one password / one access level" for everyone method. it would be nice to have a failover option where i can say, "ok, ms login i/ii is currently problematic, let's just use an ini file for temporary user/pass logins".

good point about sharing folders, i wouldn't do that at all.
sgt-d
40
40
 
Posts: 81
Joined: 2005-03-29 04:46

Postby sgt-d » 2005-04-10 17:40

i was talking to my brother on the phone last night and i found another scenario where an ini file containing admins/users would be prefered as opposed to using ms login ii.

ms login ii requires that "forceguest" is disabled. changing this setting turns on advanced file sharing mode. my brother wants to be able to control who can use vnc on his computer based on a username and password, and he wants to be able to control what level access they can have --- but he insists on using simple file sharing mode, which means forceguest must be enabled, also meaning that he cannot use ms login ii.

in his case, an ini file could help him control who gets in, how they get in, and what level control they have over his system.

reference post about forceguest and xp's simple/advanced file sharing
alternate and safer method for disabling forceguest
sgt-d
40
40
 
Posts: 81
Joined: 2005-03-29 04:46


Return to MS logon plugin

Who is online

Users browsing this forum: No registered users and 2 guests