smbsh and others.
Edan Idzerda
edan at mtu.edu
Tue Oct 6 18:07:09 GMT 1998
On Wed, 7 Oct 1998, Luke Kenneth Casson Leighton wrote:
> can we create the convention which, based on ftp's .netrc, ssh's security
> system and win95's password cacheing does the following:
Err, I don't think .netrc can be compared with anything ssh stores
in your home directory. Your .netrc has clear text passwords while
~/.ssh contains your private key, if you create one.
I'd really rather not store clear text passwords for \\server\share
in user's home directories, particularly when (in my environment)
the share that they connect to most is their Unix home directory!
I was thinking about something more similar to ssh-agent, which
creates a Unix socket in /tmp/ssh-$user/ and communication
with it is done by reading and writing the socket. The biggest
caveat I can think of is that I don't know how to stop root from
getting clear text passwords by writing to the socket. But perhaps
that is not introducing a security hole, if they already are root?
What about settling for a race condition? "smbsh" can start up
an 'smb-agent' and then we can prompt the user for a password.
smbwrapper.so can then grab the password on initialization,
at which point smb-agent forgets it ever heard of a password.
The abuse by root and other users is apparently good enough for
ssh-agent, since even the man page says its possible. I can't decide
if it's just a huge security problem waiting to happen or not.
Obviously I've never really used it :)
We could add a SMB_AGENT_RANDKEY environment variable that you
had to pass to the smb-agent socket to make it a *little* harder
for a wiley I-used-rhosts-to-get-into-this-account hacker. Still,
I suppose a race condition exists between the time you start the
LD_PRELOAD'd shell and the time smbw_init gets called.
But putting clear text passwords in home directories is against
everything I've ever worked for! :) But I suppose, in the case
of lanmanager/nt "encrypted" passwords we're doing the same thing
as putting clear text passwords there. At which point,
I suppose smbwrapper.so might as well open ~/.smb/my.lm.passwords
directly.
I would much prefer a socket thingy to pass clear text passwords,
though.
- edan
More information about the samba-technical
mailing list