Mailinglist Archive: opensuse-security (471 mails)
| < Previous | Next > |
Re: [suse-security] Security issues when using Samba?
- From: Robert Casties <robert.casties@xxxxxxxxxxxxxx>
- Date: Mon, 23 Oct 2000 15:54:43 +0200 (CEST)
- Message-id: <Pine.LNX.4.21.0010231548300.5956-100000@xxxxxxxxxxxxx>
On Mon, 23 Oct 2000, Lars Trebing wrote:
> semat wrote:
>
> > the probelm is that the password is still trasmitted over the network
> > in clear text thus anyone running a sniffer on the network may be
> > able to get your passwords.
>
> I really don't believe this is true. IMHO Samba's password encryption
> mode does provide true password encryption (although I don't quite know
> how good this encryption is).
AIAK the encryption is OK (MD5 or so). The only problem is that the
enrypted password is used as a cookie. It is just compared to the value in
smbpasswd. If anyone gets your smbpasswd he can use the value to
authenticate.
This is different from the way unix login works where you still have to
solve the backward problem to regenerate a password from a crypt value to
break in.
Cheers
Robert
--
Robert Casties --------------------- http://philoscience.unibe.ch/~casties
History & Philosophy of Science Tel: +41/31/631-8505 Room: 216
Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern
Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
> semat wrote:
>
> > the probelm is that the password is still trasmitted over the network
> > in clear text thus anyone running a sniffer on the network may be
> > able to get your passwords.
>
> I really don't believe this is true. IMHO Samba's password encryption
> mode does provide true password encryption (although I don't quite know
> how good this encryption is).
AIAK the encryption is OK (MD5 or so). The only problem is that the
enrypted password is used as a cookie. It is just compared to the value in
smbpasswd. If anyone gets your smbpasswd he can use the value to
authenticate.
This is different from the way unix login works where you still have to
solve the backward problem to regenerate a password from a crypt value to
break in.
Cheers
Robert
--
Robert Casties --------------------- http://philoscience.unibe.ch/~casties
History & Philosophy of Science Tel: +41/31/631-8505 Room: 216
Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern
Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
| < Previous | Next > |