"C.Lee Taylor" wrote:>
> Greetings ...
>
> A quick question more to confirm a few things reguarding SMB
passwords,
> which I hope might be able to look at for password aging.
>
> I saw some discussion on samba-tech list, but nothing conclusive.
>
> LM and NT hashs don't have a salt? Do they? ... In other
words, a
> password "password" LM hashed, always comes out as
> "E52CAC67419A9A224A3B108F3FA6CB6D" not matter the case? Just
checks,
> but I take it a password "password" NT hashed is case sencetive,
but
> still no salt, which means one could search a DB of a large number of LM
> or NT hashed to crack a LM/NT hash?
Fun, isn't it :-)
Anyway, the passwords are 'paintext equivilant', so you don't even
need
to crack them.
> I understand that we can't use PAM cracklib to do password
sanity, but
> we could use all known hashs in a smb passwd DB, ie ... search ones
> local LDAP DB for matching LM/NT hashs and not accept password.
>
> But I think that the rpc's to look after password expire and
sanity
> have not been finished, am I correct in this thinking?
Password expiry is implemented in Samba 3.0, password sainity not yet
implemented. (Patches welcome, see previous discussion).
Andrew Bartlett
--
Andrew Bartlett abartlet@pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet@samba.org
Student Network Administrator, Hawker College abartlet@hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net