Mailinglist Archive: opensuse-security (520 mails)

< Previous Next >
Re: [suse-security] importing users
  • From: Gerhard Sittig <Gerhard.Sittig@xxxxxxx>
  • Date: Sat, 9 Dec 2000 15:41:41 +0100
  • Message-id: <20001209154141.B27042@xxxxxxxxxxxxx>
On Sat, Dec 09, 2000 at 12:52 +0100, Oliver Hensel wrote:
> On Fri, 8 Dec 2000, Gerhard Sittig wrote:
> >
> > Read "man 5 smb.conf" and search for "sync" and/or
> > "password". When you feed samba with passwords (that is,
> > provide them in the clear) it can set the "traditional" Unix
> > password for you, too. [ ... ]
>
> That will only work if your Windows stations submit their
> password in cleartext, for which you need to change a registry
> setting on Win95 (upwards of OSR2 (?)) and NT4.0 (since SP3). I
> wouldn't really do that.

Sorry, but I don't want to follow you here. :) Don't confuse the
cleartext auth (which *is* a bad idea) with the password changing
dialog via "smbpasswd -r $MACHINE" -- or the Windows tools I
referred to in the previous message.

To clear it up, maybe I was too vague: The l0phtcrack run
probably provides you (not actually _you_, Olli, but the original
poster:) with a list of the users' passwords. With this info one
can populate the Unix user database and the Samba hashes. That
means that the users probably won't notice the change.

And when they change their passwords later with the tools they
are used to, they won't notice the change either. It still
"feels" like talking to another Windows machine, and all the
mechanisms using the Unix user database (EMail, Apache(?),
FTP(for those who insist in using it), even shell sessions) are
updated, too.


The only ugly point in this scenario is the plain text password
list, of course. But we already talked about it several times:
Those with access to the crypted / hashed representation have the
chance of getting the plain text version by means of brute force.
And as soon as people are using POP3 over the wire (without
tunneling it in SSL or ssh port forwarding) or FTP for web
updates (instead of file system access -- we're talking LAN
here), one can get the plain text passwords with even less
effort, just by watching ...


virtually yours 82D1 9B9C 01DC 4FB4 D7B4 61BE 3F49 4F77 72DE DA76
Gerhard Sittig true | mail -s "get gpg key" Gerhard.Sittig@xxxxxxx
--
If you don't understand or are scared by any of the above
ask your parents or an adult to help you.

< Previous Next >
Follow Ups