You should be aware of some general password issues that affect the security of the UNIX server.
Passwords might be encrypted or unencrypted, depending on the authentication method of the authentication server:
Using UNIX passwords to authenticate users might present a security problem in environments where very high security is required, though in most environments it does not affect the security of the system. Using VisionFS with UNIX passwords is no less secure than using the UNIX telnet program, for instance.
Windows sends case-insensitive passwords to the VisionFS server. If you're using VisionFS passwords to authenticate users, this doesn't matter -- the VisionFS password database stores case-insensitive passwords, like Windows. However, UNIX passwords are case-sensitive. Consequently, with the UNIX password method, VisionFS tries different capitalizations of the password. For example, if Windows sends the password FOO, VisionFS would try the passwords foo, foO, fOo, Foo, fOO, FoO, FOo, and FOO.
This decreases security, by effectively making UNIX passwords case-insensitive, and increases the time taken to authenticate users. There is no real alternative solution other than enforcing lowercase UNIX passwords, which decreases security still further.
However, you can use the Profile Editor to reduce the number of characters in the password the VisionFS server will change the case of. This increases security (as the server will try fewer passwords) and reduces the time taken to authenticate users, but restricts the acceptable range of passwords. By default this is 8, as most UNIX systems only use the first 8 characters of passwords for authentication. Check passwd(1) for more information about UNIX passwords.
For example, if you change the setting to 2, then VisionFS will match a password with at most two uppercase characters in an otherwise lowercase password (or two lowercase characters in an uppercase password).
If one of the password combinations matches, the user is authenticated. If no match is found, the user is denied access.
Often, Windows sends the VisionFS server a user's Windows password to try to authenticate the user. This means that if a user's Windows password is the same as the password for the server, the user might not be prompted for a password. However, be aware that using identical passwords decreases security:
A security flaw present in Windows for Workgroups, and the first release of Windows 95, means it is computationally easy to decrypt the Windows password list file. This file contains all the passwords that Windows caches for the user, including the password for accessing the VisionFS server. Password caching is enabled by default.
This flaw is fixed by the Windows 95 Service Pack 1, which you can obtain from the Microsoft web site, www.microsoft.com.
Windows NT does not use password lists, and so does not have this flaw.
If you use versions of Windows that suffer from this security flaw, you can disable password caching so that the password for the VisionFS server is not stored on the Windows PC, and can't be decrypted in this way.
To disable password caching in Windows for Workgroups
CacheThisPassword=No PasswordCaching=No
To disable password caching in Windows 95
REGEDIT4[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Network] "DisablePwdCaching"=dword:00000001
[ and ]
must be on a single line in the file.