SYSKEY2. Request For Comments
Luke Kenneth Casson Leighton
lkcl at samba.org
Fri Feb 4 18:07:52 GMT 2000
yyOn Fri, 4 Feb 2000 jeremy at valinux.com wrote:
> >
> > i need to make the sam database read-accessible to all unix users. just
> > like /etc/passwd.
> >
> > therefore, i need to encrypt the passwords [or as elrond suggested, keep
> > them in a separate database that is root-only accessible] with a root-only
> > accessible syskey.
>
> No, you don't want to give even encrypted access to the hash
> values to ordinary users.
i won't be -- over-the-wire. i blank those out.
> And if you keep the hashaes seperately in a root accessible
> only file (like the current smbpasswd file), then you don't
> need to encrypt the file - just as we don't encrypt the root
> read only smbpasswd right now.
well, the trouble with that is that i will have to maintain (and lock, and
maintain), two databases, for users.
tdb_lock(passwd_tdb);
tdb_lock(user_tdb);
create_user(passwd_tdb, user_tdb, &usr21);
tdb_unlock(passwd_tdb);
tdb_unlock(user_tdb);
i hear you say, what's wrong with that? well, the current list of
databases is:
sam.tdb
S-1-5-32.usr.tdb
S-1-5-32.als.tdb
S-1-5-32.grp.tdb
S-1-5-21-xxx-xxx-xxx.usr.tdb
S-1-5-21-xxx-xxx-xxx.als.tdb
S-1-5-21-xxx-xxx-xxx.grp.tdb
now you want me to add (and yes, i'm considering it) .pwd.tdb
at least with a SYSKEY2 algorithm i can load a
/usr/local/samba/private/syskey2.mac root-accessible-only file (which, if
root so desires, can be read at start-up time from /floppy/syskey2.mac
instead!) and use it to encrypt the password fields in
S-1-5-21-xxx-xxx-xxxx.usr.tdb, and this allows me to make all those files
ug+r (not, by the way, o+r, necessarily).
> It's a waste of time and effort. Don't do it !
>
> SYSKEY is just a pathetic attempt to add obscurity
> to a system unless the root key is kep t separately
> off the machine on a floppy - that's the only reason
> it would add *any* security.
if you read netect / bindview's analysis of SYSKEY, it adds absolutely
nothing anyway, because as XXXXXXX usual, microsoft can't use RC4
correctly.
they reset the cypher stream on every single password, so you do
XOR(E(LM#), E(NT#)) and you can then do a brute-force analysis a'la
l0phtcrack.
More information about the samba-ntdom
mailing list