Tighten up password security for 3.2?
Jeremy Allison
jra at samba.org
Fri Aug 31 04:16:01 GMT 2007
On Fri, Aug 31, 2007 at 11:15:24AM +1000, Andrew Bartlett wrote:
> On Wed, 2007-08-22 at 11:49 -0400, simo wrote:
> > On Wed, 2007-08-22 at 13:45 +1000, Andrew Bartlett wrote:
> > > I wondered if, given we are bumping the release version number to 3.2,
> > > if we should tighten up some of the defaults for Samba 3.2?
> > > (Particularly given the precedent with Vista also tightening up on what
> > > it will send).
> > >
> > > I'm wondering if we should refuse to send plaintext and LM passwords by
> > > default? Currently users passwords could be exposed on the network,
> > > either as plaintext or as an LM response, if someone spoofs a server and
> > > doesn't negotiate NTLMSSP (and the right options).
> >
> > +1
> >
> > > Likewise we might want to look at only accepting NTLM and NTLMv2 on the
> > > server side (again, as a default).
> >
> > +1
>
> Given this, unless I get some more feedback, I'll be changing the
> defaults in Samba 3.2 and 3.2.0 to:
>
> client plaintext auth = no
> client lanman auth = no
> lanman auth = no
+1 from me, it's time we tightened things up I think.
Jeremy.
More information about the samba-technical
mailing list