Re: R: Do not use stock RedHat 6.0 kernels with SMBFS! [OFF-TOPIC]

A. Wik (aw@mail1.bet1.puv.fi)
Fri, 11 Jun 1999 18:50:20 +0000

Messages sorted by: [ date ][ thread ][ subject ][ author ]
Next message: Michael B. Trausch: "Re: Profanity in the Linux Kernel?!?!?"
Previous message: Ingo Molnar: "Re: More new schedule() results ..."

Michael H. Warfield wrote:
>
> A. Wik enscribed thusly:
> > On Thu, 10 Jun 1999, Michael H. Warfield wrote:
> > > A. Wik enscribed thusly:
> > > > cryptography is used, passwords have to be stored in plain-text (or
> > > > another sensitive format) on disk if they are to be encrypted on the
> > > > network.
>
> > > challenge response system for the client to prove that it knows the hashes
> > > without revealing them. In theory, if you broke into the server and stole
> > > the hashes, you could create a fake client who could then fake out the
> > > server, but you already own the server from having broken into it. You do
> > > not have to store passwords in clear, or in any reversible format anywhere.
>
> > No, but the hash file is still more sensitive than a shadow file.
>
> It really would be nice if you knew what you were talking about.
> The shadow password file also stores one-way hashes. The smbpassword file
> (assuming that's what you are talking about) can be just as secure as the
> shadow file (readable only to root), so how is it "more sensitive"?

The smbpassword hashes are used for encryption. The SMB password hash
is the secret shared between the client and the server - the Unix
password hash is NOT. Symmetric cryptography needs shared secrets -
whether to send them in cleartext over the network or store them on disk
is a matter of choice.

> > SMB password encryption in it's current form just doesn't seem (to me)
> > worth the trouble of keeping a separate password database, incompatible
> > with anything else.
>
> And your choice is? All you have are hashes. You can not reverse
> the hashing. If you don't have the NTLM hashes, you can not generate them
> from the one-way hashes in the shadow file or anywhere else. And without
> them you are not going to be able to authenticate against the NTLM challenge
> response system. They don't give you a password to validate.

They can be convinced to do so, by editing the registry. (But you already
knew that. Surely you must have read the documentation for Samba)

Anyway, most (if not all) of this is way off-topic, so this will be my
last posting on this matter.

-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/

Next message: Michael B. Trausch: "Re: Profanity in the Linux Kernel?!?!?"
Previous message: Ingo Molnar: "Re: More new schedule() results ..."