[Samba] Samba 2.2.5 Security Bug?
Gerald Carter
jerry at samba.org
Wed Oct 9 16:12:01 GMT 2002
On Tue, 8 Oct 2002 imed at gmx.ch wrote:
> > No password is different from the password "" (an empty password).
> > "" is actually hashed as an empty string and is a valid password,
> > NO PASSWORD is treated differently.
>
> That not very consistent! With SWAT it's not possible for the user user
> to set an empty password, this is Unix like.
UNIX does not prevent you from setting an empty password.
Maybe you PAM stack does.
> No password is just allowed for root, that's ok, because it's under
> root's control. An empty password is possible for all user and this
> really bad, because you don't have any control on the user passwords,
> even not in the smb.conf file!
Try using pam_smbpass.so and the pam_crack.so library for controlling
password strength.
> Is there any cogent reason, why should "" (an empty password) now be a
> valid password?
Samba just gives you the bullet. If you shoot yourself in the foot,
we can't stop that.... If you want, modify smbpasswd so that
if ( !lp_null_passwords() && !strlen(new_passwd) )
fail;
As of this moment, we are not planning on changing the current
behavior.
cheers, jerry
More information about the samba
mailing list