password sync
Andrew Bartlett
abartlet at pcug.org.au
Tue Jan 8 15:52:02 GMT 2002
Charles Marcus wrote:
> > I always recommend running 2.2.2 and compiling --with-pam,
> > setting 'pam password change = yes' in your smb.conf. This
> > means you must have an /etc/pam.d/samba file containing a
> > 'password' line, but is *much* easier to debug becouse it
> > doesn't use timeouts and other nasties - it uses the PAM
> > interface directly. We even get meaningful errors out of it :-).
> >
> > Andrew Bartlett
>
> How secure is this, real world? I have heard many times that PAM is 'bad'
> because it uses clear-text passwords. I would love to start using it, as it
> seems to be real simple compared to other methods, but am concerned about
> security.
This change has no impact on secruity.
I'm not suggesting running 'encrypt passwords = no' (which would use PAM
for authenticaion), just that instead of using the tty based 'chat' that
you use the PAM C API when setting the password. Becouse we are calling
standard C functions we also get back sane error codes and we don't have
to do silly things like 'timeouts' becouse the C lib tells us when we
are done :-).
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba
mailing list