I’ve been playing with GINA a bit (no, not this one; she’s a bit too mature now for me) trying to find a suitable method for getting Lotus Notes on Windows to perform an automatic sign–in when it is launched. The creators of Notes provide the Extension Manager that can be used to provide the password with which an ID file is unlocked, without having to enter it interactively in the client. The Lotus Notes C–API has a sample in misc/extpwd/ that demonstrates this feature very nicely: a shared object library (dll on Windows) is installed in the notes.ini file as EXTMGR_ADDINS=mylib. This dynamic library then intercepts the Notes (or Domino) request for a password and, as long as the password it provides is correct, unlocks the ID file with it. People who use Lotus Notes on Mac OS/X know what it feels like: there the password for the ID file is stored in the system’s key chain. Inspired by my working with this PAM module, I am toying with the idea of implementing something similar for Windows XP workstations. One important thing to realize is that the Windows credentials (at least the password) would have to be identical to the Notes ID file password for this to work. OTOH, isn’t that quite what most people want to have or do anyway? Windows NT and higher (but not Vista!) use the Graphical identification and Authentication (GINA) which to catch the Secure Attention Sequence (SAS) and enter the user’s credentials. The standard GINA is msgina.dll, Novell’s version is called nwgina.dll, etc. (one of the most flexible is the Open Source pGina). I’ve implemented a small GINA stub which is invoked by Windows (HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon) to capture the user’s password and store it in a file, after chaining from either msgina.dll or nwgina.dll. The bit with the file is of course only as a proof of concept. My new GINA (I’ll call it ngina in reverence to the leading n for Notes’ files on Windows for now) will have to keep the password in a secure place, either volatile in core or encrypted safely, in order to offer it to Lotus Notes’ Extension Manager for use when the Notes workstation is launched. What I like about the idea is that the Extension Manager shared object ought to work with Linux versions as well so, having it retrieve its password from this ought thus to be quite easy. I’m not sure if I’ll be implementing it to become a final “product”, but at least I have already proven that it is possible and not entirely difficult to do.

DomiNotes, Linux, Security, and MacOSX :: 07 Jun 2007 :: e-mail