Encrypted authentication via PAM

Andrew Bartlett abartlet at pcug.org.au
Mon Sep 10 02:29:05 GMT 2001

Jeff Williams wrote:
> Hello,
> I am hoping to do something out of the ordinary for authentication and
> would like any advice people have.
> I would like to have users (NT and 2000) login to a SAMBA PDC and have their
> username and NT password hash (in the password field) sent along into
> PAM_Auth_Radius or PAM_Radius_Auth to go to a RADIUS server that will check
> against the NT MD4 hash of the password.  Then the result would be sent back
> to PAM and into SAMBA as a grant or deny.
> I do not control the RADIUS server (or the password list), or I would be able
> to solve this easily with the passwords.  I convinced the data owners to add
> this extra NT PW Hash attribute in case I get this to work.  Password changes
> all go through a different system.
> I know that plain text logins can use PAM, and that normally encrypted ones
> don't.
> I've looked at both the ntlm v1 and plaintext sections of smbd and
> am a bit overwhelmed.  

Now you see why I'm rewriting it for HEAD...

> Are there multiple pieces I would change or just the one
> I found?  Is the 8 bit piece that is added to the 16 bits going to be a problem
> in checking against an NT MD4 pw hash? Will session related code give me any
> trouble?

Unfortunetly there is a fundemental problem here, we never havethe
plaintext password and only occasionally have the md4'ed password.  Most
of the time all we get is the md4'ed password mashed up with the
challange, as NTLM is a challange-response protocol. 

Unfortunetly your options are rather limited:  Either force your clients
to plain-text or find some way to get NT-compatable challange-response
pairs two and from your password server.  If you do come up with some
crazy scheme in this area, the work I'm doing in HEAD will assist you in
implementing it.

Andrew Bartlett
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list