Password Synchronization

Roeland M.J. Meyer rmeyer at mhsc.com
Fri Dec 26 21:25:25 GMT 1997


At 08:09 27-12-97 +1100, Simon Hyde wrote:
>On Thu, 25 Dec 1997 05:57:15 +1100, you wrote:
>
>[chop]
>>>user: lkcl
>>>password: foo
>>>
>>>if (strequal(unixcrypt(lmcrypt(foo)), getunixlmpasswd(lkcl)))
>>>...
>>
>>Regardless of how it's done, it'll take too many CPU cycles to do, for a
>>production machine. Basically, what is asked for is a crack process on the
>>SMB passwd, to be run each time the passwd changes. Even if it is strictly
>>limited to passwd change events, consider the CPU cycles involved when
>>doing the initial passwd-crack run for a 1000-user database. Yes, it's
>>certainly do-able, on a short-run basis, but it can not happen in
>>zero-time. Even using the DBM approach I mentioned earlier, the DBM spacee
>>required will be measured in the 10's of GB, or larger (I haven't actually
>>run the exact calculations).
>>
>>>about the only way i can think of that would get around this one is to
>>>modify the unix login system to go _via_ the 16 byte lm hash:
>>>
>>
>>This is certainly unacceptable. As was pointed out earlier, the SMB passwd
>>is definitely crackable.
>>
>You don't see what he is suggesting:
>
>In order to make it possible to authenticate an NT encrypted passwd against
>the Unix passwd database you don't actually need to store the NT encrypted
>passwd, you can simply encrypt the (already) NT encrypted password and
>compare this against the Unix password file, ie you alter login to do:
>
>text passwd -> NT encrypted passwd -> unix encrypted ( NT encrypted passwd)
>
>and then compare this value with the password file
>
>This would remove the problem of NT passwords being too easy to decrypt and
>still give you the possibility of validating NT encrypted passwords.
>

This would work only in the instance that the user did NOT want to login
with a shell account. Also, the NT encrypted password is much too long for
the Unix passwd file (32 char vs 8 char).
___________________________________________________
Roeland M.J. Meyer, ISOC (InterNIC RM993)
e-mail:		mailto:rmeyer at mhsc.com
Personalweb pages:	http://www.mhsc.com/~rmeyer
Company web-site:	http://www.mhsc.com/
___________________________________________
"The FBI doesn't want to read encrypted documents,
   they want to read YOUR encrypted documents."



More information about the samba mailing list