passdb
Andrew Bartlett
abartlet at pcug.org.au
Fri Oct 13 09:35:53 GMT 2000
Simo Sorce wrote:
>
> Andrew Bartlett wrote:
> >
> > I have a particular interest in passdb, in particular PAM. My primary
> > ideas involve tightining up samba's security so samba does less work for
> > a potential attacker, and so it uses PAM even when it can't use it to
> > check a password.
>
> This will need passdb API changes or rewriting.
> I'm alsointerested but remember that PAM must be an option
> as too many samba-supported system does not have it.
>
OpenSSH provides a good model for this (and no, I am not an OpenSSH
developer, but it seems to have (some of) the same issues as Samba and
appears to do a good job regardless). OpenSSH will also do a fake
password loop if the user puts in an incorrect username, somthing I
would like to see samba do. The incredible array of password storage
systems seem to fit quite easily into this, see auth-passwd.c in the
OpenSSH sources.
> > Samba should (IMHO) do account and session processing regardless of
> > encrypted passwords. See OpenSSH for a *very* good implementation of
> > this. (I did, as an exercise, start hacking the OpenSSH code into
> > Samba, but got stuck looking for where samba actually starts a
> > connection.)
> >
> > Adding session handling to samba looks quite easy, just add the hooks at
> > the same places as the utmp handling does.
>
> --
> Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
> E-mail: simo.sorce at polimi.it
> Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
> -----------------------------------------------------------------
> Be happy, use Linux!
--
Andrew Bartlett
abartlet at pcug.org.au
More information about the samba-technical
mailing list