On Mon, 27 Aug 2001, Michael Doerner wrote:
> I just wanted to get some opinions about the options for users to change
> their password.
>
> The official E-smith way is to do it through a browser and point it to
> http://internal-server-name/e-smith-password.
>
> The way as Windows users in an NT based network are used to do it is for
> example under Win98 to go through their control panel and change it there.
> If they choose to do that, they actually change their Samba password but not
> their Linux password which is used for their mail access and they run into
> problems later when they want to access their mail (old password still
> required).
>
> Question:
> As far as I see, we could achieve also to use the other way if we activate
> the passwd program & passwd chat parameters in Samba's smb.conf. Is there
> any reason (security?) why we should not activate this in Samba?
Yes, there could be security concerns, and there might be other concerns
as well.
It looks to me that samba interacts with the passwd program securely
enough, but I don't know whether communications between the Windows client
and samba are very secure. They could very well be plain text or plain
text equivalent. That point is moot for the moment, as communications from
the browser to the password change GUI is on the wire in plain text
equivalent. But this will change with V5, which introduces SSL access to
the manager and password panels.
The other issue is password strength checking. Not in V5, but on the TODO
list is the provision of feedback to the user about problems with their
password choice such as "based on a dictionary word", "too short", "uses
two few different keys", etc. It's not too hard to add that feedback into
the web panel, but I don't know whether the samba password change
mechanism allows that sort of feedback.
But within these restrictions, I don't see other security issues, and I'm
glad to be seeing you make the suggestion, and for others to follow up
with implementation suggestions.
--
Charlie Brady [EMAIL PROTECTED]
Lead Product Developer
Network Server Solutions Group http://www.e-smith.com/
Mitel Networks Corporation http://www.mitel.com/
Phone: +1 (613) 368 4376 or 564 8000 Fax: +1 (613) 564 7739
--
Please report bugs to [EMAIL PROTECTED]
Please mail [EMAIL PROTECTED] (only) to discuss security issues
Support for registered customers and partners to [EMAIL PROTECTED]
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Archives by mail and http://www.mail-archive.com/devinfo%40lists.e-smith.org
