[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: unified login (unix + windows)



Gerald Carter wrote:
> 
> > Why don't you want to store plain text passwords if you 
> > are willing to store the LanMan/NT hashes? They are 
> > equivalent from a security point, are they not?
> 
> You misunderstood.  I would never want to store

I'm sorry.  I misread.  Your post makes more sense now.
Ummm...no i would not consider plain text and plain 
text equivalent the same technically.  Here's why:

  Since we are talking about integrating UNIX and 
  Windows authentication, storing the plain text
  automatically gains you access to both client OS's.
  However, if the DES (or MD5, SHA, etc..) and the 
  LanMan/NT hash is stored, if obtained, the latter 
  will only give you access to Windows services
  (without breaking the actual password into plain text).
  Since traditionally this does not provide shell 
  access, I feel this is the lesser of the two bad
  possibilities.  Still very bad though.

Consider this: try convincing all admins who run 
Samba with encrypted passwords to store the plain 
text of the password in /etc/shadow.

Just my opinions.  





jerry
----------------------------------------------------------------------
   /\  Gerald (Jerry) Carter                     Professional Services
 \/    http://www.valinux.com  VA Linux Systems    gcarter@valinux.com
       http://www.samba.org       SAMBA Team           jerry@samba.org
       http://www.eng.auburn.edu/~cartegw

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )