Encrypted authentication via PAM

Steve Langasek vorlon at netexpress.net
Mon Sep 10 10:07:01 GMT 2001

Hello Jeff,

On Mon, 10 Sep 2001, Jeff Williams wrote:

> I am hoping to do something out of the ordinary for authentication and
> would like any advice people have.

> I would like to have users (NT and 2000) login to a SAMBA PDC and have their
> username and NT password hash (in the password field) sent along into
> PAM_Auth_Radius or PAM_Radius_Auth to go to a RADIUS server that will check
> against the NT MD4 hash of the password.  Then the result would be sent back
> to PAM and into SAMBA as a grant or deny.
> I do not control the RADIUS server (or the password list), or I would be able
> to solve this easily with the passwords.  I convinced the data owners to add
> this extra NT PW Hash attribute in case I get this to work.  Password changes
> all go through a different system.

> I know that plain text logins can use PAM, and that normally encrypted ones
> don't.
> I've looked at both the ntlm v1 and plaintext sections of smbd and
> am a bit overwhelmed.  Are there multiple pieces I would change or just the one
> I found?  Is the 8 bit piece that is added to the 16 bits going to be a problem
> in checking against an NT MD4 pw hash? Will session related code give me any
> trouble?

I'm afraid you aren't going to have much luck, unless the maintainers of the
RADIUS server also give you carte blanche to rewrite the server code, and even
then you would not have what I would call a robust solution.

An SMB server dealing in encrypted passwords must always have direct access to
the NT password hash in order to authenticate the user.  The RADIUS server
will not pass /any/ attributes back to the SMB server without a successful
authentication.  This puts us in a bit of a bind, because regardless of
PAM, the RADIUS server doesn't know how to do lanman authentication and won't
hand the password hash over to Samba so that it can do so.

So you can hack the RADIUS server to accept both challenge and response from
the client (the samba server) and pass back a yea or nay if everything matches
up with the password hash stored in the RADIUS database.  I would instead
suggest trying to find another protocol that would be agreeable to all
parties, because RADIUS simply is not designed for this.

Steve Langasek
postmodern programmer

More information about the samba-technical mailing list