[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

To: Adam Williams <awilliam@whitemice.org>
Subject: Re: Unix auth via LDAP & now need to add Samba!
From: David Wright <ichbin@shadlen.org>
Date: Tue, 30 Apr 2002 13:46:41 -0700 (PDT)
Cc: libogen@hotmail.com, OpenLDAP Mailling List <openldap-software@OpenLDAP.org>
In-reply-to: <1020198684.24286.10.camel@estate1.whitemice.org>

> The same way NT, Win2K and XP (the official OS of Angamandi) do.  They
> use a generated response from the NT hash.  Same way M$-CHAP v2 works.

My understanding is that this "hash" must be trivial. That is, while it
might not technically be "cleartext", it is not much harder to circumvent
than ROT-13.

I don't really see any way around this, if you are going to do
challenge-response authentication. The server needs the cleartext (or
equivilent) password in order to use it as salt to hash the challenge, the
result of which it will compare with the client's response.

Even if there is some neat trick that allows this salt to be stored in
such a way that the original cleartext cannot be recovered in polynomial
time, this storage is still a security violation, precisely because you
can use the salt in that form to successfully authenticate. (It would be
like a Unix machine accepting the hash of a password for authentication --
the whole point of hashing would be circumvented since anyone could have
read that out of /etc/passwd.)

> No, unless you tell it to, then it does.

And if I tell it to, will it respect the OpenLDAP setting for password
hashes? I.e., will it use exop or attempt to change userPassword directly?


Thanks for your answers!

References:
- Re: Unix auth via LDAP & now need to add Samba!
  - From: Adam Williams <awilliam@whitemice.org>

Prev by Date: Re: Unix auth via LDAP & now need to add Samba!
Index(es):
- Chronological
- Thread