[pptp-server] Yes, blank username/password works!
Justin Kreger
jkreger at avidsolutionsinc.com
Sat Mar 3 05:58:54 CST 2001
there is no guest, it just returns no secret if none is found
-----Original Message-----
From: Joey Coco
To: robert
Cc: Cowles, Steve; pptp-server at lists.schulte.org
Sent: 3/2/01 10:31 PM
Subject: Re: [pptp-server] Yes, blank username/password works!
Hi,
I'm curious how it does that. I was under the assumption that the smb
patch just looked at the samba password file. I'm curious why it would
default to guest on bad login.. I'll have to download the patch and look
at the source. I don't use samba enough to justify using this patch, but
I
find your problem interesting.
-- Joe
On Fri, 2 Mar 2001, robert wrote:
> I'm wondering if anyone has considered that if you have a good guest
account
> for samba, then samba will use that if a bad username/password is
sent.
> Blank would definately count as bad. I use blank password to list
shares,
> i.e. smbclient -L somemachine and just hit enter when asked for a
password.
> Logs show guest account is used and I do get the listing. Could
someone
> having this problem try disabling the guest account and seeing if the
problem
> goes away?
>
> On Friday 02 March 2001 11:19, Cowles, Steve wrote:
> > > -----Original Message-----
> > > From: Dread Boy [mailto:dreadboy at hotmail.com]
> > > Sent: Friday, March 02, 2001 1:37 AM
> > > To: pptp-server at lists.schulte.org; vgill at technologist.com
> > > Subject: RE: [pptp-server] Yes, blank username/password works!
> > >
> > >
> > > Yeah, and on top of all this it doesn't seem to matter what I
> > > log in as, my username and password don't get carried over to
> > > SAMBA for authenticating with server shares.
> >
> > Lets make sure we are comparing apples to apples here. The
> > username/password that you specify in your windows PPTP dialup
profile has
> > NEVER been carried over for share access. Please keep the following
in
> > mind...
> >
> > 1) The PPTP tunnel uses the user/pass specified in your PPTP dialup
profile
> > to authenticate the tunnel connection ONLY.
> >
> > 2) Share access uses the user/pass that you specified when you
turned on
> > your PC and logged in to get to your desktop. FWIW: This same
user/pass can
> > be specified in your PPTP dialup profile to be used to authenticate
the
> > PPTP tunnel.
> >
> > > i.e. Whether I use a valid username/password or the blank, I
> > > still can not access resources (or possibly ACLs) on the
> > > servers even with valid usernames. On my local LAN it's no
> > > problem, but remotely, it doesn't seem to know who I am while
> > > I'm logged on.
> > >
> > > For example, when I click a share locally on my SAMBA server,
> > > I can get into it and have certain rights based on my username/
> > > password. I don't even have to think about it. "security =
> > > user" in /etc/smb.conf. However, when I log in remotely with
> > > Windoze using my PPTPD Linux server, when I even try to access
> > > the server itself (let alone the share) it keeps asking me for
> > > the IPC$ administration password as if it was an NT server.
> > > It doesn't matter what I enter here, I can't get any farther.
> >
> > From the samba docs...
> >
> > Some people find browsing fails because they don't have the global
> > "guest account" set to a valid account. Remember that the IPC$
> > connection that lists the shares is done as guest, and thus you must
> > have a valid guest account.
> > ----------------------------
> >
> > Also, is the PPTP clients WORKGROUP participation set to match what
the
> > clients on the LAN are configured to?
> >
> > > Does PPTPD know my SMB username but not my password, or vice
> > > versa? I thought maybe because it was encrypted using
> > > libsmbpw.so that maybe it couldn't figure it out, but then
> > > using chap-secrets plain-text passwords don't cut it either.
> > >
> > > Anyone know what this is all about?
> > >
> > > Geez, I thought this whole PPTPD Linux server was gonna be at
> > > least a weekend of work, but it's turning out to be months
> > > worth of work.
> >
> > With regards to the "subject" line of this thread... lets make sure
we are
> > comparing apples to apples here. I'd hate to see PopTop/PPPD get the
> > reputation of being insecure without the following clarification
being
> > noted.
> >
> > 1) If you have configured your PopTop/PPPD system to re-direct PPTP
tunnel
> > authentication to use the libsmbpw.o lib's (smbpasswd), then your
system
> > appears to be vulnerable to the blank user/pass exploit mentioned in
this
> > thread.
> >
> > 2) Those of you who are still using the chap-secrets file (no
re-direct)
> > for tunnel authentication are NOT vulnerable to the blank user/pass
exploit
> > mentioned in this thread. I just verified this on my PopTop server!
I do
> > not use the re-direct to libsmbpw.o
> >
> > Steve Cowles
> > _______________________________________________
> > pptp-server maillist - pptp-server at lists.schulte.org
> > http://lists.schulte.org/mailman/listinfo/pptp-server
> > List services provided by www.schulteconsulting.com!
> _______________________________________________
> pptp-server maillist - pptp-server at lists.schulte.org
> http://lists.schulte.org/mailman/listinfo/pptp-server
> List services provided by www.schulteconsulting.com!
>
/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\
/\
/ "I'd like to think that everything is beautiful, and I'd like to think
/
\ that everything is fair. I'd like to think that everything is
plentiful,\
/ and i'd like to think that every body cares. We'd like to thank you.."
/
\
\
/ http://members.cisdi.com/~anesthes/ -=- IM: imd3fc0n
/
\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/
\/
C r e a t i v e I l l u s i o n s S o f t w a r e D e s i g n, I
n c.
_______________________________________________
pptp-server maillist - pptp-server at lists.schulte.org
http://lists.schulte.org/mailman/listinfo/pptp-server
List services provided by www.schulteconsulting.com!
More information about the pptp-server
mailing list