[Samba] getting rid of lmhashes?
Mark Proehl
M.Proehl at science-computing.de
Thu Mar 2 20:52:47 GMT 2006
On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> Mark Proehl wrote:
>
> > I am aware, that both hashes are equivalent to clear text passwords
> > and must be protected therefore. But cracking passwords with tools
> > like john is much faster, if the lm hashes are available, so i think
> > there should be an option to disable them.
>
> If you use passwords >14 characters in length, I'm sure the
> lanman hashes are not generated. I would need to dig through
> the code to remember how to prevent them from being generated
> in other scenarios. Maybe later.
mark at myhost:~> smbpasswd
Old SMB password: [qwert123]
New SMB password: [qwertzuiop12345]
Retype new SMB password: [qwertzuiop12345]
Password changed for user mark
mark at myhost:~> ldapsearch -LLL uid=mark sambaLMPassword sambaNTPassword
SASL/GSSAPI authentication started
SASL username: mark at EXAMPLE.COM
SASL SSF: 56
SASL installing layers
dn: uid=mark,ou=people,dc=example,dc=com
sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B
mark at myhost:~>
cool! but forcing users to passwords > 14 chars is not that easy...
are you shure that there is no other way to disable lanman hashes?
Mark
More information about the samba
mailing list