> A. Wik enscribed thusly:
> > "Michael H. Warfield" <mhw@wittsend.com> wrote:
> > > > (if you call share passwords security at all), they passwords are not
> > > encrypted,
>
> > Neither are telnet and FTP passwords. Besides, unless public-key
>
> I use neither... I use SSH and do not allow unencrypted access
> to interactive connections.
SSH is great, but unfortunately, not always installed.
> > cryptography is used, passwords have to be stored in plain-text (or
> > another sensitive format) on disk if they are to be encrypted on the
> > network.
>
> Not true at all...
>
> challenge response system for the client to prove that it knows the hashes
> without revealing them. In theory, if you broke into the server and stole
> the hashes, you could create a fake client who could then fake out the
> server, but you already own the server from having broken into it. You do
> not have to store passwords in clear, or in any reversible format anywhere.
No, but the hash file is still more sensitive than a shadow file.
SMB password encryption in it's current form just doesn't seem (to me)
worth the trouble of keeping a separate password database, incompatible
with anything else.
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.rutgers.edu
Please read the FAQ at http://www.tux.org/lkml/