[Date Prev][Date Next] [Chronological] [Thread] [Top]

[OT] Re: Unix auth via LDAP & now need to add Samba!

To: "Mark H. Wood" <mwood@IUPUI.Edu>
Subject: [OT] Re: Unix auth via LDAP & now need to add Samba!
From: "David L. Parsley" <parsley@roanoke.edu>
Date: Wed, 01 May 2002 16:41:01 -0400
Cc: OpenLDAP Mailling List <openldap-software@OpenLDAP.org>
References: <Pine.LNX.4.33.0205011511490.1034-100000@mhw.ULib.IUPUI.Edu>
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:0.9.9) Gecko/20020311

Mark H. Wood wrote:

On Wed, 1 May 2002, David Wright wrote:

Your step-by-step illustrates the flaw perfectly! The server stores HP.
But HP can be used for authentiation (by hashing with the challenge to
produce HC)! It's true that the cleartext of the password P is safe, so if

HPC nor HPS ever appears on the wire, so where did the attacker get it?
He can't calculate it unless he knows the password.

The problem is, NT appears to store a plaintext-equivalent password on the server. So if an attacker gets admin access on the server, he can just grab all the passwords and access accounts with a modified client - he doesn't even need to crack 'em! Yech.

regards,
	David


--
David L. Parsley
Network Administrator, Roanoke College
"If I have seen further it is by standing on ye shoulders of Giants."
--Isaac Newton

References:
- Re: Unix auth via LDAP & now need to add Samba!
  - From: "Mark H. Wood" <mwood@IUPUI.Edu>

Prev by Date: Re: Unix auth via LDAP & now need to add Samba!
Next by Date: Re: Unix auth via LDAP & now need to add Samba!
Index(es):
- Chronological
- Thread