SYSKEY2. Request For Comments

Luke Kenneth Casson Leighton lkcl at samba.org
Fri Feb 4 18:07:52 GMT 2000 

yyOn Fri, 4 Feb 2000 jeremy at valinux.com wrote:

> > 
> > i need to make the sam database read-accessible to all unix users.  just
> > like /etc/passwd.
> > 
> > therefore, i need to encrypt the passwords [or as elrond suggested, keep
> > them in a separate database that is root-only accessible] with a root-only
> > accessible syskey.
> 
> No, you don't want to give even encrypted access to the hash
> values to ordinary users.

i won't be -- over-the-wire.  i blank those out.

> And if you keep the hashaes seperately in a root accessible
> only file (like the current smbpasswd file), then you don't
> need to encrypt the file - just as we don't encrypt the root
> read only smbpasswd right now.

well, the trouble with that is that i will have to maintain (and lock, and
maintain), two databases, for users.

tdb_lock(passwd_tdb);
tdb_lock(user_tdb);

create_user(passwd_tdb, user_tdb, &usr21);

tdb_unlock(passwd_tdb);
tdb_unlock(user_tdb);

i hear you say, what's wrong with that?  well, the current list of
databases is:

sam.tdb
S-1-5-32.usr.tdb
S-1-5-32.als.tdb
S-1-5-32.grp.tdb
S-1-5-21-xxx-xxx-xxx.usr.tdb
S-1-5-21-xxx-xxx-xxx.als.tdb
S-1-5-21-xxx-xxx-xxx.grp.tdb

now you want me to add (and yes, i'm considering it) .pwd.tdb

at least with a SYSKEY2 algorithm i can load a
/usr/local/samba/private/syskey2.mac root-accessible-only file (which, if
root so desires, can be read at start-up time from /floppy/syskey2.mac
instead!) and use it to encrypt the password fields in
S-1-5-21-xxx-xxx-xxxx.usr.tdb, and this allows me to make all those files
ug+r (not, by the way, o+r, necessarily).


> It's a waste of time and effort. Don't do it !
> 
> SYSKEY is just a pathetic attempt to add obscurity
> to a system unless the root key is kep t separately
> off the machine on a floppy - that's the only reason
> it would add *any* security.

if you read netect / bindview's analysis of SYSKEY, it adds absolutely
nothing anyway, because as XXXXXXX usual, microsoft can't use RC4
correctly.

they reset the cypher stream on every single password, so you do
XOR(E(LM#), E(NT#)) and you can then do a brute-force analysis a'la
l0phtcrack.

More information about the samba-ntdom mailing list