| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Wed Jan 11 07:17:04 2006 From: se_cur_ity at hotmail.com (Morning Wood) Subject: Re: SecurID with Active Directory ? > [If, for instance, you really need to completely eliminate access via > passwords, you could use some programmatic method (i.e., Visual Basic) to > set your users' Windows passwords to very long, random passwords that > never expire. The password change would be captured on the DC and sent to > the ACE/Server. The long, random passwords would then be > provided with each authentication (and recovered when offline), but the I belive you are meaning a custom VB login.exe at every user station? > users will never know their Windows password. unless of course they take to time to look in the custom vb login.exe application, where the user/pass is stored in clear text. This would also be a point of attack if the exe were ever to escape outside infrastructure controls. ( I bring this up as this exact vector was used successfully in a pentest, the exe asked for a user/pass, the application then allowed access to the ftp server and its credentials were stored cleartext in the exe. The developer belived he could hide the actual ftp process from the end user so they did not need to set up user accounts on the ftp server and using the exe to validate against an asp server, thus allowing the application to validate and run. ) although not quite the scenario you describe, i believe the implications would be the same. of course, I could be completely off base MW
Powered by blists - more mailing lists