Tighten up password security for 3.2?
Volker Lendecke
Volker.Lendecke at SerNet.DE
Wed Aug 22 10:26:57 GMT 2007
On Wed, Aug 22, 2007 at 01:45:04PM +1000, Andrew Bartlett wrote:
> I wondered if, given we are bumping the release version number to 3.2,
> if we should tighten up some of the defaults for Samba 3.2?
> (Particularly given the precedent with Vista also tightening up on what
> it will send).
>
> I'm wondering if we should refuse to send plaintext and LM passwords by
> default? Currently users passwords could be exposed on the network,
> either as plaintext or as an LM response, if someone spoofs a server and
> doesn't negotiate NTLMSSP (and the right options).
>
> The base work for this was done ages ago, when i added in the client
> plaintext auth and client lanman auth parameters, so it's just a matter
> of changing defaults.
>
> This would break connections to standalone Win9X servers, and Samba
> servers still configured in plaintext mode. Everything else has
> understood NTLM for years.
>
> Likewise we might want to look at only accepting NTLM and NTLMv2 on the
> server side (again, as a default).
>
> Thoughts?
Sounds good to me.
Volker
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: not available
Url : http://lists.samba.org/archive/samba-technical/attachments/20070822/251d06aa/attachment.bin
More information about the samba-technical
mailing list