IDMU....And You. - Port 25: The Open Source Community at Microsoft

Port 25 - Communications from the open source community at Microsoft
< Back to Blogs
IDMU....And You. by admin on May 05, 2006 03:16PM

Sam interviews Shamit Patel, Project Manager for Identity Management for Unix (IdMU), to discuss the current state of the project and solicit feedback from the Port 25 community to help shape future versions of the project.

Format: wmv
Duration: 17:56

Alternative Video Formats:
- Download in MPEG4

Want to learn more? Check out Interop Systems: UNIX Tools for Windows - another great community site for UNIX users, sysadmin's and developers who find themselves needing to interoperate with Windows and Linux systems.

Comments RSS
  1. einhverfr said:

    Great interview.  THis provides a great deal of useful information.  Note that NIS should be used for legacy support only-- NIS over LDAP is preferable for modern deployments, and  authentication against Kerberos is still the best way to do it.

    So it seems that a lot of the interview is about legacy support rather than the cool modern things you could do with this poduct.

    Best Wishes,
    Chris Travers
    Metatron Technology Consulting

    posted at 06:19PM 05/03/2006
  2. fluke said:

    Currently, I have control over what format *nix passwords are stored in.  The default PAM module provided with GNU/Linux distributions use MD5 and with a simple change in the source code, I can easily migrate to using SHA256 for storage of new passwords.  It seems like IdMU is a step backwards where to use it requires accepting storage of passwords in MD4 hash format.  I have seen demostrations with "Rainbow Tables" that make me very uncomfortable with use of MD4 for password hashing.  While the Microsoft papers published a year ago about the road to "Cairo" moving towards a modular OS with interchangable pieces, I still have not been able find a way to plug-in a different hash objects into AD.  This greatly effects my ability to reduce the impact that a disgruntled ex-administrator could cause.

    posted at 02:23PM 05/04/2006
  3. jdzions said:

    Fluke, I'm really curious about where your belief that AD uses MD4 comes from. As far as I know, AD supports DES-CBC-MD5, DES-CBC-CRC (if you twist our arm about it, we really think this is too weak for use), and RC4-HMAC. RC4 is, of course, completely distinct from MD4.

    Can you point me to the reference(s) which lead you to believe that AD uses MD4 for password hashing? I'd really like to get to the bottom of this; if there's misinformation out there (either way; it's possible I'm mistaken, honest!), I want to get it straightened out.

    Jason

    posted at 03:30PM 05/12/2006
  4. fluke said:

    Sure, do a search for the AD user attribute unicodePwd and you should be able to find references to it being stored in "NT HASH" format (not to be confused with the even weaker LM hash format).  Then check around  any password audit packages and you will find references to "NT HASH" being MD4.

    While RC4 is completely distinct from MD4, so is Kerberos tickets completely distinct from stored password hashes.

    posted at 04:17PM 05/15/2006
Post a Comment
*
*  

Media

Search
About admin

admin More...

Read admin's Posts Subscribe toadmin's Posts
Recent Posts by admin
 
Archive