Depricate auth parameters in 3.6, remove in master?
Andrew Bartlett
abartlet at samba.org
Fri Jan 28 16:33:19 MST 2011
On Sat, 2011-01-29 at 07:29 +1000, Andrew Bartlett wrote:
> On Sat, 2011-01-29 at 01:01 +0900, TAKAHASHI Motonobu wrote:
> > 011/1/28 Andrew Bartlett <abartlet at samba.org>:
> > > On Fri, 2011-01-28 at 11:58 +0100, Björn Jacke wrote:
> > >> > encrypt passwords = no
> > >>
> > >> not sure how many people actually still use this. I think I'd like to keep
> > >> this.
> > >
> > > The point with the plaintext password code is that it performs a
> > > server-side brute force attack (see password level) on the plaintext
> > > password (due to case sensitivity), and just does not work properly with
> > > Windows clients (almost any) due to lack of caching (causing really
> > > weird reconnect failure) and the need to set registry hacks. So it is
> > > both a security risk and a
> > >
> > > There certainly are users of this, but we need to move them to other
> > > more secure solutions to their needs, and that starts by marking it as
> > > deprecated.
> >
> > Sharity-Light is one product using a plain text password to access to a
> > SMB server. Sharity-Ligit is included in Ports of *BSD.
> >
> > If LMCompatibilitylevel < 4, then plain text password is supported at the
> > SMB server.
>
> I agree that there are tools that can still use plain text, but I don't
> know of any that can't at least do LM authentication, and even that is
> incredibly insecure. We should simply not support such insecure
> protocols.
Hmm, perhaps I misunderstood. Are you saying that there is no other way
to use CIFS from FreeBSD that does not use plaintext passwords?
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Cisco Inc.
More information about the samba-technical
mailing list