Can nss/pam ldap send password to ldap server already hashed?

I have nss & pam configured so that I can authenticate linux users via LDAP against my companies AD server. All works fine except password are sent in plain text. For reasons out of my control our AD server does not support ssl/tls and I dont think I can convince them to turn it on. Is it possible to configure this so that passwords are hashed before they are sent. So in other words AD stores passwords hashed so why cant I just configure nss & pam ldap to send the password already hashed and then the hash be compared on the ldap server. I think I have configured other software packages to do this in the past...

Solution 1:

An alternative would be to use Kerberos5 instead of a LDAP simple bind simply via pam_krb5 for authentication only. libniss would then only use LDAP to resolve users. This way there's at least no plain text password transmission, but all the LDAP queries are of course transmitted in plain text - Note that the account needed for the simple bind to query the directory should be Domain Guest or some highly unprivileged account etc.

This is also trivial to do.

Solution 2:

No, because then all an attacker would need to do to impersonate a user would be to obtain the hash, with no need to crack it, rendering the hashing aspect of password storage pointless.

The approach that would satisfy this kind of need would be some sort of challenge/response authentication (CHAP, HMAC, NTLM..), which I don't believe is an option in a raw LDAP connection.

SSL is really easy to enable on a Domain Controller - it's automatic if it has an appropriate certificate - so, I'd suggest convincing the powers that be to go that route.