I understand that pam_smb keeps an authentication cache, need I be concerned that someone will have clear text access or decrypt the password in the cache?
For version 1.9.8 (development version) you need be very concerned! However, there is some excellent news: for releases post 1.9.8 the authentication cache only stores MD5 hashes of the passwords. Optionally, you could use the Makefile.crypt in the pamsmbd directory to replace the MD5 hash with standard UNIX crypt. Both are one way hashes with no means for decryption thus keeping anything in the cache is fairly safe. Also, the cache files should be stored similar to Shadows files on a system, such that only root (the user running pamsmbd) should have any access to it. The largest difference between crypt and MD5 from the pam_smb perspective is that UNIX crypt only uses the first 8 characters of the password. Being the NT passwords can be longer than 8 characters, we believe the MD5 is probably the safer way to go.
Related Questions
- I understand that pam_smb keeps an authentication cache, need I be concerned that someone will have clear text access or decrypt the password in the cache?
- I understand that the SpoutOff keeps my gutters clear at the outlets, but what if there is debris in the rest of my gutter?
- How do I clear the temporary Internet files (cache), cookies, and history from Internet Explorer or AOL?
