Andreas Rudat <ru...@endstelle.de> wrote: > Am 12.11.2011 23:00, schrieb Sven Hartge:
>> This also means you have to protect those Hashes inside your database >> like a raw cleartext password, as you can authenticate to any Windows >> box with the knowledge of the NT/LM-Hash. >> >> This has been exploitet by several Windows trojan horses, which >> grabbed to NT-Hash from the Administrator user to login into other >> boxes on the network using the same password (or worse: the domain >> controller). > Ah much thanks for that clearing, so both is bad no matter which > mechnism is used. Yes. Storing the NT-Hash has the advantage of not completley exposing the cleartext password to a possible intruder. Storing the LM-Hash is just dumb, because a) it limits the the length of the password to 16 characters and b) LM-Hash is easily broken in seconds by todays computers. Storing the raw cleartext password is as bad, but it enables one to use other challange-handshake auths, if needed. I chose to store the raw cleartext password in LDAP, but in a different attribute than the normal userPassword. This way, if my LDAP servers ever get compromised (or I mess up with an ACL, enabling anyone to read the cleartext password), just the WLAN/Dialup-Password of a user is revealed and not the master password for the account, which is used for mail, login in to computers, etc. Grüße, Sven. -- Sigmentation fault. Core dumped. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html