Tighten up password security for 3.2?
simo
idra at samba.org
Wed Aug 22 15:49:20 GMT 2007
On Wed, 2007-08-22 at 13:45 +1000, Andrew Bartlett wrote:
> I wondered if, given we are bumping the release version number to 3.2,
> if we should tighten up some of the defaults for Samba 3.2?
> (Particularly given the precedent with Vista also tightening up on what
> it will send).
>
> I'm wondering if we should refuse to send plaintext and LM passwords by
> default? Currently users passwords could be exposed on the network,
> either as plaintext or as an LM response, if someone spoofs a server and
> doesn't negotiate NTLMSSP (and the right options).
+1
> Likewise we might want to look at only accepting NTLM and NTLMv2 on the
> server side (again, as a default).
+1
Simo.
--
Simo Sorce
Samba Team GPL Compliance Officer
email: idra at samba.org
http://samba.org
More information about the samba-technical
mailing list