[Samba] Samba 2.2.5 Security Bug?
imed at gmx.ch
imed at gmx.ch
Wed Oct 9 17:08:01 GMT 2002
Hi Jerry
Thanks for the answer!
> UNIX does not prevent you from setting an empty password.
> Maybe you PAM stack does.
With UNIX I meant Solrais 2.x (default), I don't know exactly how it is for
linux (I suppose it's similiar) -> man passwd:
SunOS 5.8 Last change: 21 Oct 1999 1
User Commands passwd(1)
Passwords must be constructed to meet the following require-
ments:
o Each password must have PASSLENGTH characters, where
PASSLENGTH is defined in /etc/default/passwd and is
set to 6. Only the first eight characters are signifi-
cant.
o Each password must contain at least two alphabetic
characters and at least one numeric or special charac-
ter. In this case, "alphabetic" refers to all upper or
lower case letters.
> Try using pam_smbpass.so and the pam_crack.so library for controlling
> password strength.
Thanks for the tip, I'll do it, pitty that Samba dosen't do it out of the
box.
> Samba just gives you the bullet. If you shoot yourself in the foot,
> we can't stop that.... If you want, modify smbpasswd so that
>
> if ( !lp_null_passwords() && !strlen(new_passwd) )
> fail;
The bullet is ok for root but not for the normal users, or do your users
have the root password in your environment?
I'll try to change the code too, but it's not Samba standard anymore!
> As of this moment, we are not planning on changing the current
> behavior.
That's really pitty! Anyway can you please tell me why did the attitude of
smbpasswd change between the versions before and after 2.0 (just concerning
the empty string not the whole concept)?
Is that not a sort of a downgrade?
Thanks for the discussion!
Regards,
Imed
--
+++ GMX - Mail, Messaging & more http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!
More information about the samba
mailing list