trying to correctly handle account passwords via ldap

Henrik Nordstrom henrik at henriknordstrom.net
Wed Mar 29 20:28:15 GMT 2006 

Sorry if this is getting out of topic for samba-technical, but I think
it may be interesting to some of you as it in it's core is about
defining the border between the directory server and authentication
while maintaining user security.

ons 2006-03-29 klockan 13:22 -0500 skrev Alan DeKok:
> >  only in the hash-hash form which isn't directly useful for
> > authentication
> 
>   PAP? 

The NT-hash-hash is about as useful for PAP as the NTLM exchange, or a
Kerberos exchange, Digest exchange or any other completed authentication
exchange where the plain text password is the only unknown keying
material.

The key point I tried to make is that the NT-hash-hash as such is not
used as keying material in any client authentication method as far as I
know, only final server->client authentication steps where the server
provides a "proof" that it is an authoritative server for the
authenticated realm. In terms of security it's about as sensitive as the
MD5-sess hash in Digest, if not even less sensitive.

>   The discussion was a little more than that.  That was one factor.
> Another was that there was little to gain by pushing the credentials
> to another application.

In terms of functionality yes, but there is a large win in perfomance
and latency which is what started this discussion (ntlm_auth being
inefficient for FreeRADIUS MS CHAPv2), both which translates directly to
quality of the provided service.

>   RADIUS servers, on the other hand, have everything to gain by having
> access to the NT-HASH or clear-text passwords.  It means that multiple
> authentication protocols become possible, which is what customers are
> asking for.  Right now, for RADIUS to AD interaction, MS-CHAP is the
> only option.  This is a problem for many customers.

Fully agreed, but quite separate from the original MS CHAPv2 performance
question.

Imho for this the RADIUS should be tightly integrated with Samba much
like how the radius component of IAS is tightly coupled with MS AD,
using some kind of strongly protected RPC or similar separate privileged
channel, not "just a client". I.e. not far from how this information is
exposed in an MS AD environment. The ntlm_auth tool is a far to weak
interface for providing this information (weak in terms of security, not
performance).

>   Samba is the *only* path where this may be possible.

I would not put it that strongly, but it's the most viable (if not only)
path in Open Source while also providing full support for Windows client
authentication.

> Allowing the
> administrator to export clear-text passwords from Samba to an external
> authentication server means that the customer gets what they want.

Yes, just as it does in the AD environment (if enabled). Only that
Microsoft does not want you to know how to so they are not exposing it
via a public interface, only internal RPC calls and subject to change in
each new release..

Regards
Henrik
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 191 bytes
Desc: Detta =?ISO-8859-1?Q?=E4r?= en digitalt signerad
	meddelandedel
Url : http://lists.samba.org/archive/samba-technical/attachments/20060329/0241be04/attachment.bin

More information about the samba-technical mailing list