Removal of plaintext krb5 support.

Steve Langasek vorlon at
Sat Nov 17 17:31:02 GMT 2001

On Sat, Nov 17, 2001 at 11:01:18PM -0000, Mayers, Philip J wrote:

> In the Samba case, you can only really do this:

> samba: pam_authenticate()
> pam:   samba? Username
>        samba: jog
> pam:   samba? <any data>
>        samba: duh - here's the plaintext password, that's all I've got

> There are proposals to extend PAM with "binary prompts" to handle this
> situation:

> samba: pam_authenticate()
> pam:   samba? binary<NTLMSSP challenge>
> samba: pam?   binary<NTLMSSP auth>
> pam:   samba? binary<NTLMSSP resp>
> pam:   authenticated!

> ...however, it's my belief that this is a really silly idea. Other
> (qualified, sensible) people disagree.

I maintain that it is a really silly idea.  After the benefit of not
having to recompile applications when changing authentication
mechanisms, the second greatest benefit of PAM is that of code reuse.
But hiding Samba's NTLMSSP support behind the PAM API doesn't help
anyone reuse code, because there are no other PAM modules that it would
be useful to plug into Samba where NTLMSSP sits today.  It would be
adding unnecessary complexity to the Samba code for no gain at all.

A PAM module that did NTLMSSP via binary prompts would make a good
example of how binary prompting should be used, but such a module would
only be of benefit to other applications that aren't built around

Steve Langasek
postmodern programmer
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url :

More information about the samba-technical mailing list