Storing only a salted, hashed password for offline creds
Hansjörg Maurer
hansjoerg.maurer at dlr.de
Sun Aug 20 13:09:37 GMT 2006
Hi
sorry for inserting an issue to this thread, which may just be related.
If I understand the context off this thread correctly,
it deals with local logon into unix workstations which
authenticate against an Active Directory
Is there a chance in the future that a samba AD-member server can
cache credentials too, in order to give windows clients access to shares
on the server
even if the Active-Directory DC are not available.
I asked this some weeks ago on samba-users and was told, that this
is not possible at the moment.
Thank you and greetings from munich
Hansjoerg
Andrew Bartlett wrote:
>On Sat, 2006-08-19 at 14:51 -0700, Jeremy Allison wrote:
>
>
>>On Sun, Aug 20, 2006 at 07:46:47AM +1000, Andrew Bartlett wrote:
>>
>>
>>>That's correct, and an entrypoint I support in the Samba4
>>>NTLMSSP/credentials code.
>>>
>>>
>>Likewise in Samba3 now :-).
>>
>>
>>
>>>Also, for plaintext: do you store the plaintext or a hash for the
>>>offline credentials? You should store a salted hash.
>>>
>>>
>>Can't be done that way when using MIT krb5, without
>>modification of the internal krb5 libs. So we have to
>>store plaintext for this case.
>>
>>
>
>I should have been more clear. For the *offline* credentials cache
>(where we want a user to log in to a disconnected laptop) we
>could/should store only a salted hash, much like would be used
>in /etc/shadow, as the user must present cleartext to login (which we
>can then use for the puroposes of this patch and krb5 refresh).
>
>This should prevent an attack in the 'stolen laptop' scenario.
>
>We could use the hash format we use for the LDAP password history, or
>perhaps a *variation* on the format used for AES krb5 (but it must be a
>variation, to avoid it being a plaintext-equivalent).
>
>Andrew Bartlett
>
>
>
More information about the samba-technical
mailing list