external authentication

[Marbacher Christophe]

Hi,

What does go on the line between the client and the server? Is it a hashed
password (no way to get the clear password) or is it an encrypted password?
If it's an encrypted password, then it would be possible to decrypt it and
give this password to another application to authenticate (like radius for
example).

What is the way the password transit on the wire? Are we able to retrieve it
in clear on server side?

Thank you

-----Original Message-----
From: Andrew Bartlett [mailto:abartlet at pcug.org.au]
Sent: jeudi, 24. janvier 2002 23:34
To: Marbacher Christophe
Cc: 'samba at lists.samba.org'
Subject: Re: external authentication


> Marbacher Christophe wrote:
> 
> Hi,
> 
> Is there any way to authenticate users using something else than
> static passwords stored in smbpasswd or ldap? For example tokens
> (ActivCard, SecurID, ...)? Is there a way to tell samba to launch a
> program with parameters, and depending on the result, accept or deny
> login?
> 
> If anybody has an idea, it would be nice to contact me.

This is quite a possible extension to the authenticaion subsystem in
HEAD.  

It would depend on both the client and the server 'knowing' the same
password (for encrypted passwords) or somthing similar for a plaintext
(PAM based) approach.  The latter I presume would be secure with tokens,
but exposes issues with convincing clients to use them.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net