Tighten up password security for 3.2?
Andrew Bartlett
abartlet at samba.org
Fri Aug 31 01:15:24 GMT 2007
On Wed, 2007-08-22 at 11:49 -0400, simo wrote:
> On Wed, 2007-08-22 at 13:45 +1000, Andrew Bartlett wrote:
> > I wondered if, given we are bumping the release version number to 3.2,
> > if we should tighten up some of the defaults for Samba 3.2?
> > (Particularly given the precedent with Vista also tightening up on what
> > it will send).
> >
> > I'm wondering if we should refuse to send plaintext and LM passwords by
> > default? Currently users passwords could be exposed on the network,
> > either as plaintext or as an LM response, if someone spoofs a server and
> > doesn't negotiate NTLMSSP (and the right options).
>
> +1
>
> > Likewise we might want to look at only accepting NTLM and NTLMv2 on the
> > server side (again, as a default).
>
> +1
Given this, unless I get some more feedback, I'll be changing the
defaults in Samba 3.2 and 3.2.0 to:
client plaintext auth = no
client lanman auth = no
lanman auth = no
Any further comments?
Andrew Bartlett
--
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20070831/421dc827/attachment.bin
More information about the samba-technical
mailing list