[Samba] Samba 2.2.5 Security Bug?

imed at gmx.ch imed at gmx.ch
Wed Oct 9 17:08:01 GMT 2002

Hi Jerry

Thanks for the answer!

> UNIX does not prevent you from setting an empty password.
> Maybe you PAM stack does.

With UNIX I meant Solrais 2.x (default), I don't know exactly how it is for
linux (I suppose it's similiar) -> man passwd:

SunOS 5.8           Last change: 21 Oct 1999                    1

User Commands                                           passwd(1)

     Passwords must be constructed to meet the following require-

        o  Each password must have PASSLENGTH  characters,  where
           PASSLENGTH  is  defined  in /etc/default/passwd and is
           set to 6. Only the first eight characters are signifi-

        o  Each password must contain  at  least  two  alphabetic
           characters and at least one numeric or special charac-
           ter. In this case, "alphabetic" refers to all upper or
           lower case letters.
> Try using pam_smbpass.so and the pam_crack.so library for controlling
> password strength.  

Thanks for the tip, I'll do it, pitty that Samba dosen't do it out of the
> Samba just gives you the bullet.  If you shoot yourself in the foot,
> we can't stop that....  If you want, modify smbpasswd so that 
> 	if ( !lp_null_passwords() && !strlen(new_passwd) )
> 		fail;

The bullet is ok for root but not for the normal users, or do your users
have the root password in your environment? 

I'll try to change the code too, but it's not Samba standard anymore!

> As of this moment, we are not planning on changing the current 
> behavior.

That's really pitty! Anyway can you please tell me why did the attitude of
smbpasswd change between the versions before and after 2.0  (just concerning
the empty string not the whole concept)?

Is that not a sort of a downgrade?

Thanks for the discussion!



+++ GMX - Mail, Messaging & more  http://www.gmx.net +++
NEU: Mit GMX ins Internet. Rund um die Uhr für 1 ct/ Min. surfen!

More information about the samba mailing list