Samba's Encrypted Password Support

John Blair

Issue #56, December 1998

How SMB-encrypted passwords actually work, and a walk-through of the steps required to enable encrypted passwords in Samba.

By default, Samba uses plaintext passwords to authenticate clients who access network resources. Samba also supports the use of LanManager- and NT-encrypted password authentication. Using encrypted passwords with Samba has its advantages and disadvantages. On the positive side, encrypted passwords mean that plaintext passwords cannot be “sniffed” off the network when users log in to a Samba share. This is particularly important when users connect to a Samba server across a public wide-area network, like the Internet. Furthermore, the latest service packs for Windows 95 and Windows NT do not allow plaintext authentication to be used when connecting to an SMB server. When using the latest version of Windows, either Samba must be configured to use encrypted passwords, or the registry must be edited to enable plaintext passwords.

On the negative side, using encrypted passwords requires some extra administrative work. The SMB-encrypted-password algorithm is incompatible with the standard UNIX encryption method. As a result, a second password file containing the LanManager- and NT-password hashes for each user, must be created. If someone makes use of other services on the server, a technique to keep both password files synchronized will have to be used.

As of Samba version 1.9.18, the best reason to not use encrypted-password authentication has been eliminated. Previous versions of Samba made use of a Data Encryption Standard (DES) library to compute LanManager password hashes. Because it was linked against a DES library, a compiled version of Samba would be illegal to export from the United States. Strong encryption, like DES, is still considered a munition by U.S. law. To make it easier for stateside mirrors of the Samba FTP archive to distribute Samba, precompiled Samba binaries usually did not contain support for encrypted passwords. Beginning with version 1.9.18, Samba uses a crippled version of DES that is still suitable for calculating LanManager hashes, but is legal to export from the United States.

Since the latest service packs to Windows NT and Windows 95 disable the ability to connect to shares, setting Samba to process encrypted passwords has become even more desirable. While it is possible to edit the registries on all of your machines to re-enable the use of plaintext passwords, it is probably easier to configure Samba to use encrypted passwords.

SMB Password Hashes

There are two styles of SMB-encrypted-password authentication: LanManager and Windows NT. Both techniques use a file which contains hashed values of a user's password, not plaintext passwords, just as the standard UNIX authentication method does. However, each uses its own technique to generate this hash.

LanManager-style hashes are generated using this algorithm:

  1. Convert the password entered by a user to all capitals.

  2. Either truncate the resulting password to 14 characters if it is longer, or pad the password with null bytes if it is shorter than 14 characters.

  3. Use this 14-byte value as two 56-bit DES keys to encrypt a secret 8-byte value twice, creating a 16-byte value. This value is the hashed password which is stored in the password file. This secret value is a string consisting of the characters KGS!@#$%.

Unfortunately, this algorithm has a serious weakness. First, the password is converted to all uppercase before it is hashed. This reduces the number of possible characters in the password from 95 to 69. However, since most punctuation characters are also denied, the number of possible characters is closer to 40. This reduces the actual size of the keyspace from 9514 to about 4014. Further, each half of the password is encrypted independently. This means that either half of the password can be recovered without recovering the other half. A better approach would have been to “chain” the two encryptions together by feeding the output of the first encryption into the second encryption. This technique is called cipher block chaining. The entire 16-byte hashed password has a possible keyspace of 2128, or 3.4 x 1038. Not using cipher block chaining reduces the number of possible hashed passwords from this value to 2(407) or 3.2 x 1011.

As a result, it is possible to use brute force to crack the LanManager passwords in a reasonably short period of time. L0phtcrack, from L0pht Heavy Industries (http://www.l0pht.com/), has been demonstrated to exhaust the keyspace in 62 hours on a quad Pentium Pro 200 SMP box. Since even paranoid users rarely change their passwords more frequently than every few weeks, systems are vulnerable to system crackers with more conventional hardware at their disposal.

In contrast, the Windows NT hashing algorithm is much stronger. The NT hashing algorithm consists of computing a 128-bit MD4 hash of a Unicode version of the user's password. Since the password is not truncated and makes the entire Unicode character set available for use, this technique makes use of the entire 128-bit keyspace. Unfortunately, for the sake of backwards compatibility, nearly all SMB servers allow access using either hashing technique. This means that an SMB server, like Samba, must store both hashes in its password database. As a result, at least for the immediate future, it doesn't matter that the NT algorithm is stronger.

The Process of SMB-Encrypted Authentication

The process of SMB-encrypted authentication is the same whether LanManager or NT encryption is being used. When a client indicates that it can support encrypted-password authentication during the protocol negotiation stage, the server will respond with a random 8-byte value known as the challenge. The challenge is different for each client request. The server stores the challenge until the client is authenticated or denied access.

After the client obtains the password from the user, it computes the hash value using one of the previously defined algorithms. The resulting 16-byte value is appended with 5 null bytes. This 21-byte value is used as three 56-bit DES keys to encrypt the 8-byte challenge value three times. The resulting 24-byte value is known as the response.

The server also executes the same algorithm, using the stored hashed password. If the value the server computes matches the value returned by the client, the client had to have known the password or at least the 16-byte hash value generated from the password. As a result, access will be granted as an authenticated user. Otherwise, access is denied. In either case, a plaintext password was not passed over the network, where it could be sniffed by an eavesdropper.

However, there is a snag with using this technique. Unlike the UNIX password hash, the SMB password hash is a password equivalent. This means that even though it isn't plaintext, it might as well be. It is the responsibility of the authentication client to accept a plaintext password and generate a hash before using it to encrypt the challenge from the server. Unfortunately, a custom client can be written that, rather than generating the password hash from a plaintext password, simply accepts a password hash and uses it to generate the appropriate response to the server. smbclient, a component of the Samba suite, can be modified to accomplish this task. To sum up, even though it is possible to crack the LanManager password in a reasonably short period of time, it isn't actually necessary to gain access to a share if you already know the password hash. The bottom line is that the Samba-encrypted-password file and the NT Security Accounts Manager (SAM) both contain sensitive information. Don't let the fact that it is “encrypted” lead you to believe that you don't have to protect it from snoopers.

Using Encrypted Passwords in Samba

Configuring Samba to use encrypted passwords is easy—just include this setting in the global section of your configuration file:

encrypt passwords = yes

Encrypted passwords work with all three security levels: share, user and server. Setting the security option to user or share requires that the Samba-encrypted-password file exist. If security is set to server, no further configuration is necessary, since all authentication requests will be passed off to a different SMB server. The server security option provides an easy way to integrate a Samba server into an existing NT domain. However, most installations of Samba will use user- or share-level security. The most common configuration is this:

security = user
encrypt passwords = yes
Both the share and the user modes require the smbpasswd file, which contains the LanManager and NT password hashes for each user who will be accessing the Samba server.

The Samba-encrypted-password file, smbpasswd, is stored by default in /usr/local/samba/private. This directory is normally owned by root, with its permissions set to 500, so that only root can look at its contents. However, this configuration isn't strictly required—your smbpasswd file can be stored any place you wish. The Samba Red Hat package stores the smbpasswd file in the sensible location of /etc/smbpasswd. Wherever the smbpasswd file is stored, its permissions should be set to 600 (only user read and write) and it must be owned by root. It must not be possible for any user other than root to read this file.

Users can be added to the smbpasswd file in several ways. The best way is to use the smbpasswd -add command. For example,

smbpasswd -add jdblair foobar

will add an entry for jdblair with a password of foobar. When adding a user while the Samba server is running, this command must be used to ensure that the smbpasswd file is properly locked before it is modified.

Another way to create a new smbpasswd file is to use the mksmbpasswd.sh script that comes with Samba. This script is, oddly enough, stored in the /source subdirectory of the Samba distribution. For example:

cat /etc/passwd | mksmbpasswd.sh > \
        /usr/local/samba/private/smbpasswd

If the system uses NIS, you should use this command:

ypcat passwd | mksmbpasswd.sh > \
        /usr/local/samba/private/smbpasswd
After using the mksmbpasswd.sh script, edit the file by hand to remove root, bin and daemon just to be on the safe side.

Finally, to allow users to update their encrypted password, set the permissions on smbpasswd to be setuid root as follows:

chmod u+s /usr/local/samba/bin/smbpasswd

The last problem to note is keeping the smbpasswd file synchronized with the default UNIX authentication method. If users access the UNIX machine only through the Samba server, this won't be a problem. However, most systems also allow users to access shell accounts, pop servers or other services that will authenticate using the default UNIX password file. Many techniques can help keep these two files in sync. A hacked version of the passwd command is available that will update both files at the same time. Many people use expect scripts to update a user's password, entering both the passwd and the smbpasswd command after prompting the user for a new password. Reportedly, a PAM module to handle updating almost transparently is in the works and may be available by the time this article is printed. Asking on the Samba mailing list (samba@samba.anu.edu.au) for solutions other people have cooked up to alleviate this problem can be a big timesaver.

Closing Thoughts

In spite of the lengthy explanation of problems associated with SMB-encrypted passwords, it is still a good idea to make use of them. Even a slightly half-baked encrypted-password algorithm is superior to transmitting plaintext passwords across a network. Keeping the smbpasswd file secure and making sure users don't choose easily-guessed passwords will help minimize the risks.

John Blair currently works as a software engineer at Cobalt Microserver. When he's not hacking Cobalt's cute blue Qube, he's hanging out with his wife Rachel and newborn son Ethan. John is also the author of Samba: Integrating UNIX and Windows, published by SSC. Feel free to contact him at jdblair@cobaltmicro.com.