Password encryption

A Windows-based computer can send and receive updated passwords to and from a UNIX-based computer as encrypted text only. The Password Synchronization single sign-on daemon (SSOD) receives the encrypted password and decrypts it before requesting the password change on the UNIX host. Similarly, if Password Synchronization is configured to support UNIX-to-Windows synchronization, the pluggable authentication module (PAM) encrypts the password before sending it to Password Synchronization on the Windows computer, which then decrypts the password before requesting the password change on the Windows computer.

The password can be successfully decrypted only if Password Synchronization and the SSOD or PAM module use the same encryption key to encrypt and decrypt the password. Before installing the SSOD on any UNIX computer, you must first set the default encryption key. You must then specify the same key in the sso.conf file when you install the SSOD on each UNIX host. This will ensure that Password Synchronization and the SSOD on the UNIX hosts will use the same encryption key. For more information on setting the default encryption key, see To set the default encryption key. For information on installing and configuring the SSOD, see To install the Password Synchronization daemon.

For added security, you can specify an encryption key that is used only between a particular Windows computer and a UNIX host. For information on configuring Password Synchronization to use a computer-specific encryption key, see To set computer-specific synchronization properties. For information on setting the computer-specific encryption key on the UNIX computer, see To install the Password Synchronization daemon.