[Samba] Does winbindd/pam transmit
cleartext authneticating against an NT PDC
Gerald (Jerry) Carter
jerry at samba.org
Tue Jan 27 19:31:21 GMT 2004
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Karl DeBisschop wrote:
| But then I would infer that local passwords would be the
| same -- the password is handed to the pam module
| as cleartext, right?
For authentication, the application hands the password
to the PAM layer in cleartext. How the pam module performs
the authentication using that password is arbitrary.
For example, if you have sshd configured to use
pam_winbindd, the the client will send the tunneled
clear text password to sshd which will hand it off
to pam_winbindd.
pam_winbindd will then send a request to winbindd over
a unix domain socket.
And winbindd will issue a net_samlogon() request to
authenticate the user just like a windows client would.
| They are saying there is a cleartext step in pam_winbind
| that does not exist when using local passwords. They are also
| saying that windows servers are secure when autthenticaing
| against the PDC, but linux servers are not.
Wrong on both counts.
All pam modules that use password based authentication
(that I am aware of) require the clear text password as
input. Something like pam_unix would then hash the
password and compare it to whatever is in the user's
entry in /etc/passwd. The end result is the same.
cheers, jerry
~ ----------------------------------------------------------------------
~ Hewlett-Packard ------------------------- http://www.hp.com
~ SAMBA Team ---------------------- http://www.samba.org
~ GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc
~ "If we're adding to the noise, turn off this song" --Switchfoot (2003)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iD8DBQFAFryJIR7qMdg1EfYRAgy5AKCnMKOyx0vwv/VL8bFcw6ue/O64VgCcCNKw
1p8UhDHLo7VDtQlMEuZuAKI=
=sH2V
-----END PGP SIGNATURE-----
More information about the samba
mailing list