Removal of plaintext krb5 support.

Mayers, Philip J p.mayers at ic.ac.uk
Sat Nov 17 15:07:01 GMT 2001 

It always fascinates me how real-time or embedded OSes have different
quality standards - IOS being a case in point, we have some routers that
have been in constant unfailing operation for 3 years - even my personal
favourite Linux doesn't have that kind of (consistent) stability, although
Solaris on Sun hardware can - perhaps it's the more limited and therefore
easier to target hardware base?

...anyway, back on topic - PAM is supposed to (and does) hide the details of
the backend auth mechanism, but it is only really useful in two arenas:

1) Non-interactive apps (meaning an application where you can't prompt the
user for arbitrary data, like an SMB server talking to a client) with a
relatively static, unidirectional username/auth token pair - this would
include a plaintext username/password, or possible a username/securid.

2) Full-on interactive applications where you can prompt the user for
arbitrary data. This enables things like OTP, challenge-response, etc.

Basically, PAM calls back into the application to prompt it for extra data -
e.g.:

app: pam_authenticate()
pam: app? Username:
     app: joe
pam: app? Challenge otp-md5 jd2345 312
     app: JOE SENDS HIS OTP KEY HERE
pam: authenticated!

In the Samba case, you can only really do this:

samba: pam_authenticate()
pam:   samba? Username
       samba: jog
pam:   samba? <any data>
       samba: duh - here's the plaintext password, that's all I've got

There are proposals to extend PAM with "binary prompts" to handle this
situation:

samba: pam_authenticate()
pam:   samba? binary<NTLMSSP challenge>
samba: pam?   binary<NTLMSSP auth>
pam:   samba? binary<NTLMSSP resp>
pam:   authenticated!

...however, it's my belief that this is a really silly idea. Other
(qualified, sensible) people disagree. You *could* hack it at the moment
with something like:

samba: pam_authenticate()
pam:   samba? "65372867328768697386793486398 NTLMSSSP Chal:"
samba: <parse icky text>
samba: pam? "3757298684679847698376847693476 NTLMSSP Auth:"
<etc>

But that's even worse IMHO. So, after a long ramble - to cut a long story
short, PAM is only useful as an authentication mechanism for plaintext
passwords on the wire. It is useful (session management, account lockout,
utmp support) in other areas.

Hope this clears things up a bit.

Cheers,
Phil

-----Original Message-----
From: Green, Paul
To: 'Mayers, Philip J'; Green, Paul; ''samba-technical at lists.samba.org' '
Cc: ''lukeh at padl.com' '
Sent: 17/11/2001 19:18
Subject: RE: Removal of plaintext krb5 support.


How does the plaintext issue interact with the PAM issue?  I think I'm
lacking some piece of information here. I thought the purpose of PAM was
to
hide the details of the authentication algorithm(s)...

Thanks
PG
--
Paul Green, Senior Technical Consultant, Stratus Computer, Inc.
Voice: +1 978-461-7557; FAX: +1 978-461-3610; Video on request.

More information about the samba-technical mailing list