1
0
mirror of https://github.com/samba-team/samba.git synced 2024-12-23 17:34:34 +03:00

r11401: A simple hack to have our central credentials system deny sending LM

authentication for user@realm logins and machine account logins.

This should avoid various protocol downgrade attacks.

Andrew Bartlett
(This used to be commit 76c2d204d0)
This commit is contained in:
Andrew Bartlett 2005-10-31 00:23:38 +00:00 committed by Gerald (Jerry) Carter
parent fb2bceea6e
commit cfa2adf040
4 changed files with 19 additions and 0 deletions

View File

@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->old_password = NULL; cred->old_password = NULL;
cred->smb_krb5_context = NULL; cred->smb_krb5_context = NULL;
cred->salt_principal = NULL; cred->salt_principal = NULL;
cred->machine_account = False;
return cred; return cred;
} }

View File

@ -84,4 +84,7 @@ struct cli_credentials {
* secrets.ldb when we are asked for a username or password */ * secrets.ldb when we are asked for a username or password */
BOOL machine_account_pending; BOOL machine_account_pending;
/* Is this a machine account? */
BOOL machine_account;
}; };

View File

@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* ok, we are going to get it now, don't recurse back here */ /* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = False; cred->machine_account_pending = False;
/* some other parts of the system will key off this */
cred->machine_account = True;
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
/* Local secrets are stored in secrets.ldb */ /* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx); ldb = secrets_db_connect(mem_ctx);

View File

@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
/* If we are sending a username@realm login (see function
* above), then we will not send LM, it will not be
* accepted */
if (cred->principal_obtained > cred->username_obtained) {
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
}
/* Likewise if we are a machine account (avoid protocol downgrade attacks) */
if (cred->principal_obtained > cred->username_obtained) {
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
}
if (!nt_hash) { if (!nt_hash) {
static const uint8_t zeros[16]; static const uint8_t zeros[16];
/* do nothing - blobs are zero length */ /* do nothing - blobs are zero length */