[Date Prev][Date Next] [Chronological] [Thread] [Top]

RE: Unix auth via LDAP & now need to add Samba!



> -----Original Message-----
> From: owner-openldap-software@OpenLDAP.org
> [mailto:owner-openldap-software@OpenLDAP.org]On Behalf Of David Wright
> Sent: Wednesday, May 01, 2002 1:50 PM

> > HPC nor HPS ever appears on the wire, so where did the attacker get it?
> > He can't calculate it unless he knows the password.
>
> He got it off the server's password file. This is the whole point of
> storing hased passwords! Even if someone can read your password file (e.g.
> /etc/passwd or /etc/shadow in unix), he can't use that knowledge to log
> into your servers.
>
> Scorce for defense in depth -- Microsoft: 0, Unix: 1.

Theoretically, yes. But there are such things as the Crypt-Breaker's
Workbench and UFC-Crypt that make it feasible to brute-force attack the Unix
hash. This is the whole reason the password was moved from the world
readable /etc/passwd to the protected /etc/shadow, because the hash actually
does need to be protected.

Not trying to denigrate Unix in favor of Microsoft, just pointing out that
both systems have their weaknesses. Of course, Microsoft's is a weakness in
fundamental design; the Unix password weakness is a matter of progress and
CPU power overcoming the basic encryption algorithm, not necessarily a
design flaw.

I personally think Bellcore S/Key is the right idea, but that's another
story. I think this thread has outlived its usefulness.

  -- Howard Chu
  Chief Architect, Symas Corp.       Director, Highland Sun
  http://www.symas.com               http://highlandsun.com/hyc
  Symas: Premier OpenSource Development and Support