SYSKEY2. Request For Comments
Luke Kenneth Casson Leighton
lkcl at samba.org
Fri Feb 4 17:09:04 GMT 2000
On Sat, 5 Feb 2000, Nicolas Williams wrote:
> On Sat, 5 Feb 2000, Luke Kenneth Casson Leighton wrote:
> > i need to make the sam database read-accessible to all unix users. just
> > like /etc/passwd.
> >
> > therefore, i need to encrypt the passwords [or as elrond suggested, keep
> > them in a separate database that is root-only accessible] with a root-only
> > accessible syskey.
> Luke, you canuse a separate root-read-only TDB for storing the password
> data. Much like Unix systems have /etc/passwd and /etc/shadow (as
> someone else has already pointed out).
this is an expansion of the above sentence in [].
> Jeremy is correct in likening your idea to the way MIT's Kerberos KDC
> stores its data.
does that have any merits that are worth investigating?
> Think about it: you're gonna encrypt the data and then keep the
> encryption key in a root-read-only file on the same machine anyways (If
> you don't then an operator would have to type in the key when the
> service starts).
both those are possibilities.
> It's not a bad thing, but it's also not any more secure than the
> shadow idea.
it's _as_ secure. that's good enough for me.
for the record, i'm taking in ideas at the moment, not implementations,
design brain-storming only, please.
More information about the samba-ntdom
mailing list