R: R: password policy on samba 3.0

Andrew Bartlett abartlet at samba.org
Wed Oct 29 12:02:31 GMT 2003 

On Wed, 2003-10-29 at 22:41, Simo Sorce wrote:
> On Wed, 2003-10-29 at 12:07, Andrew Bartlett wrote:
> > I'm not convinced how much Samba should be involved in the 'password
> > quality' issue - given how it varies between sites.  There was a patch
> > much earlier that put this out to an external script.  (Allowing
> > cracklib and the like)
> 
> I think the best way could be to add a cascading style to auth modules
> (like vfs ones) so that enyone can do it's own policy simply through a
> module. However including some basic checking in samba (those expected
> by users) seem ok.

Agreed.

> > However, if we do make Samba handle this I would like to see the 'old
> > passwords' optionally stored in some salted, not MD4() hashed form, or
> > in the original cleartext for soundex comparison.  
> 
> Why? salted? What's wrong with MD4 hashes ?

If somebody breaks into the LDAP/TDB store, they would not only get all
the current passwords, but also all the past passwords.  Given patterns
of password re-use, somebody might have used their 'strong' password on
server1, then changed it for a new password.  Their 'strong' password
(quite likaly the one that they can't change for some other server, so
they use it everywhere) is now in a format that can be used by the
attacker.

This may or may not be likely, but given the only purpose for storing
this password is to compare it with a new plaintext, we can apply any
one-way function we like.  I think MD5(MD4(password)+salt) would be
good, and not likely to be a useful value for attacking another system.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20031029/35c31ed9/attachment.bin

More information about the samba-technical mailing list