[Samba] SWAT login - is password entry secure?
Keith G. Murphy
keithmur at mindspring.com
Thu Feb 27 17:25:28 GMT 2003
Dan Rickhoff wrote:
> Samba group members,
>
> Is the password that I specify when logging into SWAT handled securely?
>
> I'd like to use the Samba Web Administration Tool (SWAT) to create and
> administer Samba "shares" that will be used by our users of ClearCase on
> Windows. That requires that I log in to the Samba host as "root". I
> access SWAT via Internet Explorer (from any machine) buy specifying the
> URL "http://machine:901",
>
> For my ClearCase-related Samba Administration, our UNIX Sys
> Administrator is OK with giving me the password for user "root" on that
> machine, but he fears that the password entered in that login window
> will be transferred over the network as "cleartext". That is, he fears
> that the password might be too easily observed by prying eyes.
>
> QUESTIONS:
> 1) Is the password handled securely during my SWAT login?
Without knowing anything at all about SWAT specifically, I can tell you
that your administrator is exactly right to be worried, because you are
almost without doubt using clear HTTP; the 'http:', rather than 'https:'
tells me this.
You might want to look into running SWAT with secure-HTTP. It might be
as easy as changing a couple of configuration parameters.
Or, login in with SSH using Putty or TeraTerm, port-forwarding 901, then
run your browser against http://localhost:901. :-)
>
> 2) If the answer to Q1 is "No", then might it be "Yes" if I used a
> browser (Netscape) that is running on the same machine that I'm loggng
> in to?
>
Yeah, pretty much, if there's nobody on that machine getting into your
socket communication. :-)
More information about the samba
mailing list