passwords
Sander Striker
s.striker at striker.nl
Thu Mar 23 11:42:02 GMT 2000
>On Thu, 23 Mar 2000, Sander Striker wrote:
>
>> Hmmm, interesting point. Let's do some creative thinking.
>> Is there a way to set the password in smbpasswd (or the
>> samr db) the first time a user ever logs in? Meaning that
>> if a user is marked [first time user], his password is
>> checked in an alternative way(using pam?), and setting the
>> password to this value if it is correct. Luke?
>> There is a transitional fase parameter built into samba
>> [...]
>added to samba at least 2 years ago: update encrypted password in
>smb.conf. It means you have to disable encypted password on the windows
>box as you need the clear text password to check against anything other
>than the NT/LM hashes.
Yep, that was what I was thinking about, or at least trying to remember.
It is still enabled then. Might me an option.
I think however that disabling encryption in the clients is considered
more of a hassle. People tend to loosen their security policy for a
'short' interval if they can get away with temporary centralized
modifications ie. on the server. :-)
This gave me another idea though, which isn't very nice, but could/would
do the trick. Whenever the 'first time user' (which has ofcourse to be
defined and not disabled) logs in, the NT/LM hash is stored and used
for further reference. This is a major security risk and should be done
in a controlled environment. Also the time window for this should be very
limited. If you don't trust everyone/anyone you can put the newly set hashes
in a queue for nightly evaluation (or any other (idle) time for that
matter),
to crack the hash and check the password against /etc/passwd or equivalent.
You would have to find a tool that does this for you... or write one :-)
Hmmm, there was something in this department some time ago on samba-tech,
let's see:
>It is POSSIBLE to "decrypt" these passwords, but not quickly enough to
>avoid the client timing out. In fact, it can take up to four days to crack
>particularly tough passwords on a fairly powerful PC.
>[...]
>There is little practical difference between LanMan/NT hashes and
plaintext:
>a couple of hours of number crunching will "decrypt" the hashes anyway...)
>[...]
>
>James Sutherland.
Sander
More information about the samba-ntdom
mailing list