r11401: A simple hack to have our central credentials system deny sending LM

authentication for user@realm logins and machine account logins.

This should avoid various protocol downgrade attacks.

Andrew Bartlett
(This used to be commit 76c2d204d0)

source4/auth/credentials/credentials.c

@@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
 	cred->old_password = NULL;
 	cred->smb_krb5_context = NULL;
 	cred->salt_principal = NULL;
+	cred->machine_account = False;
 
 	return cred;
 }

source4/auth/credentials/credentials.h

@@ -84,4 +84,7 @@ struct cli_credentials {
 	 * secrets.ldb when we are asked for a username or password */
 
 	BOOL machine_account_pending;
+	
+	/* Is this a machine account? */
+	BOOL machine_account;
 };

source4/auth/credentials/credentials_files.c

@@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
 	/* ok, we are going to get it now, don't recurse back here */
 	cred->machine_account_pending = False;
 
+	/* some other parts of the system will key off this */
+	cred->machine_account = True;
+
 	mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
 	/* Local secrets are stored in secrets.ldb */
 	ldb = secrets_db_connect(mem_ctx);

source4/auth/credentials/credentials_ntlm.c

@@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
 
 	cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
 
+	/* If we are sending a username@realm login (see function
+	 * above), then we will not send LM, it will not be
+	 * accepted */
+	if (cred->principal_obtained > cred->username_obtained) {
+		*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+	}
+
+	/* Likewise if we are a machine account (avoid protocol downgrade attacks) */
+	if (cred->principal_obtained > cred->username_obtained) {
+		*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+	}
+
 	if (!nt_hash) {
 		static const uint8_t zeros[16];
 		/* do nothing - blobs are zero length */