[PATCH] Remove password level (now only lowercase the plaintext password, do not try combinations)
Andrew Bartlett
abartlet at samba.org
Sun Jun 9 18:25:19 MDT 2013
On Sun, 2013-06-09 at 20:25 +1000, Andrew Bartlett wrote:
> On Sat, 2013-06-08 at 08:49 -0400, Simo wrote:
> > On 06/08/2013 12:13 AM, Andrew Bartlett wrote:
> > > On Mon, 2013-06-03 at 11:15 +1000, Andrew Bartlett wrote:
> > >> On Mon, 2013-06-03 at 10:19 +1000, Andrew Bartlett wrote:
> > >>> I was looking at adding the deprecated flag to 'password level' so that
> > >>> we could remove it in the future, and realised it was already
> > >>> deprecated!
> > >>>
> > >>> So, given the discussion with Yannick, who has 'password level = 0' (ie,
> > >>> the default) in his smb.conf, I think this is reasonable.
> > >>>
> > >>> That is, if your site relies on plaintext passwords from CIFS clients,
> > >>> that the requirement be that the client pass the password in correctly,
> > >>> or that you have the password in the system be in lower case.
> > >>>
> > >>> This does not impact encrypted passwords at all, and does not remove
> > >>> support for any known client.
> > >>>
> > >>> Simo,
> > >>>
> > >>> I think I've addressed your concerns in my other mail, I agree my
> > >>> description was confusing.
> > >>>
> > >>> Please review/comment/possibly push.
> > >> Attached are two more patches to remove the remaining references.
> > > Can I please have these patches reviewed?
> > >
> > > Thanks,
> >
> > Patch 1 ACK
> >
> > Patch 2:
> > Please do not remove the whole section.
> > I would change the first phrase just to say: "Very old SMB clients ..."
> > Change last paragraph to:
> > <para>Samba will try an additional all lower cased password
> > authentication if it receives
> > an all uppercase password. Samba used to support an option called
> > "password level"
> > that would try to crack password by trying all case permutations, but
> > that option has been removed.</para>
> >
> > Patch 3:
> > 3rd chunk now reads: 'However ... However ...' The original 'This means
> > that..' is perfectly fine and avoids repetition, so I'd keep the
> > original wording for that part. Ie I will keep it as: "This means that
> > in order for a user on a Windows 9x/Me client to connect to a Samba
> > server using clear-text authentication, the password should be in lower
> > case.</para>
>
> Thanks, I'll fix those changes up and get them back to you tomorrow.
I think patch set this addresses your concerns.
Please review/push.
Thanks,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0003-Remove-remaining-references-to-password-level-in-the.patch
Type: text/x-patch
Size: 7390 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130610/2a00d88d/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0002-docs-Do-not-encourage-unix-passwords-and-remove-refe.patch
Type: text/x-patch
Size: 1810 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130610/2a00d88d/attachment-0001.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-auth-Remove-password-level.patch
Type: text/x-patch
Size: 8937 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20130610/2a00d88d/attachment-0002.bin>
More information about the samba-technical
mailing list