[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: Unix auth via LDAP & now need to add Samba!

>>The same way NT, Win2K and XP (the official OS of Angamandi) do.  They
>>use a generated response from the NT hash.  Same way M$-CHAP v2 works.
>My understanding is that this "hash" must be trivial. That is, while it
>might not technically be "cleartext", it is not much harder to circumvent
>than ROT-13.

It is "effectively" clear text.  But in the Microsoft world of security 
through obscurity it is reffered to as a password crypt/hash.

>I don't really see any way around this, if you are going to do
>challenge-response authentication. The server needs the cleartext (or

Sure, you embed a salt value that from a given password crypt always 
generates some known value.  Pretty much nullifies the whole concept of 
crypting,  but what can you do.

>equivilent) password in order to use it as salt to hash the challenge, the
>result of which it will compare with the client's response.
>Even if there is some neat trick that allows this salt to be stored in
>such a way that the original cleartext cannot be recovered in polynomial
>time, this storage is still a security violation, 

Sure, yes it is.  But it is how every NT SAM in the world.....

>precisely because you
>can use the salt in that form to successfully authenticate. (It would be
>like a Unix machine accepting the hash of a password for authentication --
>the whole point of hashing would be circumvented since anyone could have
>read that out of /etc/passwd.)
>> No, unless you tell it to, then it does.
>And if I tell it to, will it respect the OpenLDAP setting for password
>hashes? I.e., will it use exop or attempt to change userPassword directly?

It manages the unix password via either PAM (which uses whatever you setup 
pam to use, probably exop) or an external binary via a chat/expect.

Ximian GNOME, Evolution, LTSP, and RedHat Linux + LVM & XFS