[PROPOSAL] Remove password level (or all plaintext passwords?) for 4.1

Andrew Bartlett abartlet at samba.org
Mon May 27 06:40:44 MDT 2013


On Mon, 2013-05-27 at 08:30 -0400, Simo wrote:
> On 05/27/2013 08:12 AM, Simo wrote:
> > On 05/27/2013 07:55 AM, Andrew Bartlett wrote:
> >> On Mon, 2013-05-27 at 07:39 -0400, yaberger at ca.ibm.com wrote:
> >>> Hi Andrew,
> >>>
> >>> Here is a first list of clients that are using our Samba file service.
> >>> There will be a few more under "Other network devices" that I'll 
> >>> send in
> >>> another email once I'll have received it.
> >>> I should also know which DOS flavor/version is being used in the 
> >>> upcoming
> >>> days.
> >> Thanks.  How much are you able to test in this environment?
> >>
> >> If I gave you a patch that removed 'password level' and with it the
> >> password cracker (upper/lower case transition), could you verify if it
> >> still works well enough for your clients?
> >>
> >> The code is ugly, but it is very much contained and I don't need to
> >> remove it in the face of an active user participating on the mailing
> >> list, because if we break it, we know you will be able to work with us
> >> promptly.
> >
> > Why should you remove them ?
> >
> > -1 from me unless there is an extremely good reason.
> 
> Sorry, nvm this -1, 't was a barin fart.
> I read 'password checker' instead of password cracker, and I thought it 
> extended to remove things like check password script.

Certainly not!  :-)

> If this is limited to lanman backwards compatibility I am not so strong 
> on a -1, but then we should officially drop support for all DOS/Lanman 
> features. It's no use to keep around any other feature if old DOS 
> clients simply can't log in.
> 
> Ie still a mild -1 to the approach, but not to the general idea of 
> dropping DOS support wholesale of that's the intent.

So, the background here is that having a password cracker (automated
case changing) in Samba has always irked me.  It literally removes all
the security you may have had with a mixed-case password:

           If password level was set to 2, the following combinations
would also be tried:

           "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", ..

It's actually been really valuable to ask the question, because the
clients that are listed as being the problem (Windows for work-groups
and Win9X) are now very, very old and Yannick doesn't have any of them
on his network.  

It would be interesting to know if we could limit this to 'lowercase the
password', or maybe (but DOS clients could be the issue) remove this
case changing totally. 

Annoyingly, this seems to be more client-specific than protocol level
specific, the manpages speak of Win9X getting this wrong even with NT
0.12.  Hence why I was hoping to get some real-world re-verification
done.

None of this impacts on users who use encrypted passwords, as while the
cryptography is incredibly poor, and is of course disabled by default,
LM password support for DOS clients will remain a selectable option for
quite some time yet. 

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org




More information about the samba-technical mailing list