passdb

Andrew Bartlett abartlet at pcug.org.au
Fri Oct 13 09:35:53 GMT 2000


Simo Sorce wrote:
> 
> Andrew Bartlett wrote:
> >
> > I have a particular interest in passdb, in particular PAM.  My primary
> > ideas involve tightining up samba's security so samba does less work for
> > a potential attacker, and so it uses PAM even when it can't use it to
> > check a password.
> 
> This will need passdb API changes or rewriting.
> I'm alsointerested but remember that PAM must be an option
> as too many samba-supported system does not have it.
> 

OpenSSH provides a good model for this (and no, I am not an OpenSSH
developer, but it seems to have (some of) the same issues as Samba and
appears to do a good job regardless).  OpenSSH will also do a fake
password loop if the user puts in an incorrect username, somthing I
would like to see samba do.  The incredible array of password storage
systems seem to fit quite easily into this, see auth-passwd.c in the
OpenSSH sources.

> > Samba should (IMHO) do account and session processing regardless of
> > encrypted passwords.  See OpenSSH for a *very* good implementation of
> > this.  (I did, as an exercise, start hacking the OpenSSH code into
> > Samba, but got stuck looking for where samba actually starts a
> > connection.)
> >
> > Adding session handling to samba looks quite easy, just add the hooks at
> > the same places as the utmp handling does.
> 
> --
> Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
> E-mail: simo.sorce at polimi.it
> Tel.int: 02 2399 2425 - Fax.int. 02 2399 2451
> -----------------------------------------------------------------
> Be happy, use Linux!

-- 
Andrew Bartlett
abartlet at pcug.org.au




More information about the samba-technical mailing list