[Date Prev][Date Next]
[Chronological]
[Thread]
[Top]
Re: unified login (unix + windows)
Gerald Carter wrote:
>
> > Why don't you want to store plain text passwords if you
> > are willing to store the LanMan/NT hashes? They are
> > equivalent from a security point, are they not?
>
> You misunderstood. I would never want to store
I'm sorry. I misread. Your post makes more sense now.
Ummm...no i would not consider plain text and plain
text equivalent the same technically. Here's why:
Since we are talking about integrating UNIX and
Windows authentication, storing the plain text
automatically gains you access to both client OS's.
However, if the DES (or MD5, SHA, etc..) and the
LanMan/NT hash is stored, if obtained, the latter
will only give you access to Windows services
(without breaking the actual password into plain text).
Since traditionally this does not provide shell
access, I feel this is the lesser of the two bad
possibilities. Still very bad though.
Consider this: try convincing all admins who run
Samba with encrypted passwords to store the plain
text of the password in /etc/shadow.
Just my opinions.
jerry
----------------------------------------------------------------------
/\ Gerald (Jerry) Carter Professional Services
\/ http://www.valinux.com VA Linux Systems gcarter@valinux.com
http://www.samba.org SAMBA Team jerry@samba.org
http://www.eng.auburn.edu/~cartegw
"...a hundred billion castaways looking for a home."
- Sting "Message in a Bottle" ( 1979 )