Password dilemmas.

Roeland M.J. Meyer rmeyer at mhsc.com
Wed Feb 25 08:07:39 GMT 1998 

At 11:47 25-02-98 +1100, Samuel James Johnston wrote:
>John,
>
>You have raised an important issue here. Certainly the UNIX community is
>not going to be overly excited at the prospect of even having to alter the
>format of the /etc/passwd file, let alone completely creating a new 'samba
>proprietry' one. Of course if we were MS...
>
>The issues as I see them are:
>
>* Everything in the windows NT client must be stock standard

Not quite, we can modify registry and configuration.

>* The UNIX server should be as close to stock standard as possible (this
>means we can't really modify the authentication procedures, etc.)

And this includes forcing use of shadows and other non-standard
foolishness. Including PAM. However, there might be one exception. BTW, my
efforts with kerbnet are a bust. Too much critical dox are missing from the
release.

>* The password should be able to be changed using the standard password
>change dialog in NT and a modified /bin/passwd file in UNIX.

Careful how you modify here ...

>* The solution cannot rely on PAMs, etc. which may be specific to certain
>operating systems. (ie it must be portable between different versions of
>UNIX)

>* The file which contains the LM and MD4 hashes must be kept secure, as
>these are both reversible (almost) and are password equivalents.

Given that WinNT passwords are naturally insecure, send them plain-text and
wrap an encryption-shell around the whole machine! This is the SSH approach
and it works. However, someone will have to port the relevent parts of SHH
to the CygWin.dll system. Alternatively, the client can spend the $89US to
buy F-secure. 

BTW, I thought that Samba had a means to change the password using a shell
script or direct access to /bin/passwd? I know that I had it setup that way
once, about a year ago. This means that the plain-text password had to be
available at one point. Or is this before we went to encrypted password
support?
___________________________________________________
Roeland M.J. Meyer, ISOC (InterNIC RM993)
e-mail:		mailto:rmeyer at mhsc.com
Personalweb pages:	http://www.mhsc.com/~rmeyer
Company web-site:	http://www.mhsc.com/
___________________________________________
Watch for the SecureMail system at MHSC.NET

More information about the samba-ntdom mailing list