560924 – net-nds/openldap disable lmpasswd since it's insecure

Bug 560924 - net-nds/openldap disable lmpasswd since it's insecure

Summary: net-nds/openldap disable lmpasswd since it's insecure

Status:	RESOLVED WONTFIX

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	Current packages (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo LDAP project

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2015-09-20 16:20 UTC by Julian Ospald
Modified:	2015-09-21 16:53 UTC (History)
CC List:	0 users

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Julian Ospald 2015-09-20 16:20:34 UTC

http://www.openldap.org/its/index.cgi/Incoming?id=7978 suggests that lanman hash support is insecure

Howard Chu (the chief architect of OpenLDAP) said:
> It appears you're compiling with the old LANMAN hash support. Nobody should be 
> using LANMAN any more, it's trivially insecure.

And it appears it will be gone in 2.5 anyway.

In our ebuild, "lmpasswd" is behind the samba USE flag. For whatever reason.

Comment 1 Matthew Thode ( prometheanfire ) archtester

2015-09-20 22:18:53 UTC

I doubt we need it anymore, but I don't know if I feel comfortable removing it, robbat?

Comment 2 Robin Johnson archtester

2015-09-21 16:53:10 UTC

If it's gone in openldap-2.5, we'll drop it then. It's behind the USE=samba, because that was the only place that used it.

If our supported versions of samba no longer use it, then we can drop it; note that Samba 4.3 still supports it as well, for inter-operation with old systems.

I agree that nobody should be using it anymore, since it's insecure; but I'm not going to break old use cases. I know amongst them is a Samba-on-IRIX deployment I did over a decade ago, which still has some systems going.