[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: disable "fake" samba authentication error messages



> On Thu, 2 Jul 1998, Andrew Morgan wrote:
> 
> > Luke Kenneth Casson Leighton writes:
> > > > 
> > > > On Thu, 2 Jul 1998, Urs Rau wrote:
> > > > 
> > > > > What bothers me is that samba is filling up my log files with a
> > > > > lot of extraneous/fake entries about authentication failures.
> > > > > "Extraneous/fake" - because all it is is a reflection of the way
> > > > > the protocol actually tries to login - going through the
> > > > > upper/lower case mutations as configured.
> > > 
> > > This is due to the Windows machines forcing the password to be
> > > uppercased. A cracking algorithm is applied, which can be
> > > short-circuited by asking your users to only use lower case letters in
> > > passwords.  This will still allow numbers and non-numeric characters
> > > but may still not satisfy the truly paranoid.
> > > 
> > > The alternative is to use encrypted passwords, and maintain the UNIX
> > > and NT / LM password databases seperately: there are tools to do this.
> > 
> > This may be eliminated if it is possible to get samba to work like this:
> > 
> > conv(..., app_data)
> > {
> > 	/* use app_data to indicate how many times we've been called */
> > 	if ( first_time ) {
> > 		return string_as_typed
> 
> Like I said, string_as_typed is not available: it is the windows client
> that is passing the password upper cased, over which you have no control,
> forcing the use of a cracking algorithm. 
> 

Back to my original concern/problem. It doesn't matter to me that there is a 
"cracking" algorhythm running to figure out what the password might have 
been that the user typed. What I want to achieve is that "PAMpwd" (it looks 
as if this is the "guilty" one) only log's errors if the username / password pair 
doesn't end up in a match. Or in other words I would like "PAMpwd" to keep 
checking password mutations until no more mutations are sent - and then - 
and only thenn to send a msg to the syslog. Is this asking the impossible? It 
might well be for all I understand.



Urs
------------------------------------------------------------+
| Operation Mobilisation, The Quinta, Weston Rhyn, OSWESTRY |
| SY10 7lT, UK, FAX: +44-1691-778378, TEL: +44-1691-773388  |
| Email: urs.rau@uk.om.org                                  |
+-----------------------------------------------------------+



[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index] []