WIN 98 password problem

Mark Hazen mhazen at franklin.uga.edu
Mon Oct 19 03:38:52 GMT 1998 

> From: Sarma Seetamraju <sarma at usa.net>
> Subject: Re: SAMBA digest 1846 -- WIN 98 password problem
> 
> Maybe you can allow for old+new methods of authentication in your newer
> releases :-
> // consider FIRST that the passwd passed is cleartext
> //    then use old method... of NOT using smbpasswd for authentication.
> //            I guess you would use that in the UNIX crypt system call & match

This defeats the purpose of encrypted passwords. By god, when I stop
collecting using the methods SAMBA already provides to us for migration to
encrypted passwords, I will allow no unencryted connections. We're even
getting rid of Telnet, in favor of SSH on all of our machines.

Encryption is no longer a tool for the paranoid, it's a necessity...
espcially considering how freqeuntly machines have been getting hacked all
around me. Sure, your network might be secure... but how about every
single network a packet crosses to get from any of your users' locations
to the server?

My honest suggestion would to be, as a quick fix, read the documentation
on Encryption, as well as the Win95/NT notes, and set up the server for
migration. Next, use the .reg files included with SAMBA for whichever
platform you're talking about, and... TEMPORARILY... patch the client to
use plaintext passwords. This impacts fewer users in the immediate sense,
and allows the one problem machine to get back on the network. Go look in
the DOCS directory under the SAMBA source tree... or, if you installed a
RedHat Linux RPM, under /usr/doc/samba*.

After a couple of weeks of collection using the 'update encrypted' flag,
change 'encrypt passwords' to 'yes'. But don't just leave clients
unencrypted... remember, someone sniffing the wire with linsniff or some
other such tool, will get the user's logon password, and will most likely
use that to compromise the rest of the server. 

Please, though, don't make any assumptions about passwords... even
*allowing* a check against a plaintext password as a default makes the
systems running such a service one step easier to crack. I've had enough
serious crack attempts in the past two weeks (11 logged) to worry about
without this. =)

</Heavy Paranoia Mode Off>

Regards,

-mh.
----
   . _+m"m+_"+_   Mark Hazen   Systems Group Coordinator
 d' Jp     qh qh               The Franklin College of Arts & Sciences
Jp  O       O  O               The University of Georgia (706)542-1546
Yb  Yb     dY dY
 O   "Y5m2Y"  "     even the mightiest wave starts out as a ripple.
  "Y_           why make waves when it's easier to nurture ripples?

More information about the samba mailing list