SYSKEY2. Request For Comments
Luke Kenneth Casson Leighton
lkcl at samba.org
Fri Feb 4 16:28:55 GMT 2000
i need to make the sam database read-accessible to all unix users. just
like /etc/passwd.
therefore, i need to encrypt the passwords [or as elrond suggested, keep
them in a separate database that is root-only accessible] with a root-only
accessible syskey.
On Fri, 4 Feb 2000 jeremy at valinux.com wrote:
> > i am looking to implement an equivalent mechanism to SYSKEY, however i do
> > not have the relevant security skills to say whether a proposal is secure
> > or not.
>
> Why ? SYSKEY is a silly idea !
>
> Either you trust root, or you don't.
>
> If you don't trust root, then all the SYSKEY in
> the world doesn't help. If you do trust root, then
> why not let them see the hashed passwords ?
>
> Don't give me any "it improves security" crap,
> as it doesn't (unless you store the key off
> machine - on a floppy disk needed on machine boot).
>
> This is the same issue kerberos has.
>
> There is no need to complicate all our code with
> this stuff, it doesn't even add any security !
>
> What does everyone else think ? I don't want you
> to implement it - it's just a *bad* idea.
>
> Jeremy.
>
<a href="mailto:lkcl at samba.org" > Luke Kenneth Casson Leighton </a>
<a href="http://www.cb1.com/~lkcl"> Samba and Network Development </a>
<a href="http://samba.org" > Samba Web site </a>
<a href="http://www.iss.net" > Internet Security Systems, Inc. </a>
<a href="http://mcp.com" > Macmillan Technical Publishing </a>
ISBN1578701503 DCE/RPC over SMB: Samba and Windows NT Domain Internals
More information about the samba-ntdom
mailing list