netbsd-users: Re: samba, netbsd and internal network

Subject: Re: samba, netbsd and internal network
To: None <emre@uab.edu>
From: Steven M. Bellovin <smb@research.att.com>
List: netbsd-users
Date: 10/09/2002 17:28:28

In message <54598.138.26.156.222.1034197969.squirrel@mail.vsrc.uab.edu>, emre@u
ab.edu writes:
>Once upon a time Jeremy C. Reedsaid:
>> The hash is different and since can't be decrypted can be reused.
>>
>> Some admins use plain text for a while as they automatically collect
>> passwords and generate new password file. Then they silently switch
>> over to encrypted passwords. Look at docs for "update encrypted".
>>
>> Also, you can have wrapper for adduser (or whatever) to do both at same
>> time.
>
>Yeah, it would be nice if samba had that option; to use unix
>authentication instead of its own authentication mechanism.  Maybe such
>thing already exists and im not looking hard enough :D
>
>
Fundamentally, it can't really do that.

Unix stores a one-way hash of the typed password in /etc/master.passwd.
To authenticate, the user has to supply the plaintext; the system 
hashes it and sees if it matches what's stored.  But that means that 
the system has to receive the password in the clear -- possibly over an 
encrypted channel, but ultimately in the clear.

Windows uses (I believe) a challenge/response scheme.  While I don't 
recall the details, these generally involve sending the client a random 
number.  The client computes a hash of that number and its password, 
and sends along the result.  The server does the same thing, and 
compares the answers.  Note that the server can't do that without a 
cleartext copy of the password.

The two schemes are optimized against different threat models.  The 
classical Unix scheme was designed to avoid the need for plaintext 
passwords to be stored on the system -- see the classic Morris and 
Thompson paper for an explanation of why.  The Windows scheme was 
designed for a secure server attached to an insecure network -- and the 
Unix scheme wasn't designed for networks at all.

Anyway -- you can't do what you want.  If your users have shell 
accounts, I suggest writing a little wrapper that will let them run 
'smbpasswd -a' themselves, so they can set their own samba passwords.

		--Steve Bellovin, http://www.research.att.com/~smb (me)
		http://www.wilyhacker.com ("Firewalls" book)