SYSKEY2. Request For Comments
Luke Kenneth Casson Leighton
lkcl at samba.org
Mon Feb 7 22:58:42 GMT 2000
On Tue, 8 Feb 2000, Simon Lodal wrote:
> > > So the real problem has now turned out to be that we are using other
> > > protocols that someone might be able to listen on, over the wire?
> >
> > YES. [thank you for noticing. noone else has].
>
> Thank you for clarifying :)
>
>
> > > probably in the disk drive. How disciplined would you be? So when a
> >
> > that's their problem, not ours.
>
> I think it's ours. The human factor is the biggest source of vulnerability
> in any system. If we can do anything to minimise the risk of human failure,
> we should do so. At least don't force users to need an external disk (I
> don't understand from the discussion if users will be forced to do this, or
> if it's an easy option).
"syskey file = /floppy/syskey2" - we can't stop them or inhibit admins
from doing this, or anything else. check perms = 0400 is good.
> Also I have bad feeling about SYSKEY2 for another reason. It is all about
> implementing yet another security scheme which will surely be incompatible
> with others in some way.
it's a local measure only (actually, local to a SAM, so therefore local to
PDCs+allBDCs for the domain).
> Also it will demand sysadms to learn and maintain
> yet another security measure. I feel so much better about generic methods,
> such as running everyting over ssh or the like (don't know if that's at all
> possible or relevant here).
yes it is.
More information about the samba-ntdom
mailing list