mirror of
https://github.com/samba-team/samba.git
synced 2024-12-23 17:34:34 +03:00
r11401: A simple hack to have our central credentials system deny sending LM
authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
(This used to be commit 76c2d204d0
)
This commit is contained in:
parent
fb2bceea6e
commit
cfa2adf040
@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
|
|||||||
cred->old_password = NULL;
|
cred->old_password = NULL;
|
||||||
cred->smb_krb5_context = NULL;
|
cred->smb_krb5_context = NULL;
|
||||||
cred->salt_principal = NULL;
|
cred->salt_principal = NULL;
|
||||||
|
cred->machine_account = False;
|
||||||
|
|
||||||
return cred;
|
return cred;
|
||||||
}
|
}
|
||||||
|
@ -84,4 +84,7 @@ struct cli_credentials {
|
|||||||
* secrets.ldb when we are asked for a username or password */
|
* secrets.ldb when we are asked for a username or password */
|
||||||
|
|
||||||
BOOL machine_account_pending;
|
BOOL machine_account_pending;
|
||||||
|
|
||||||
|
/* Is this a machine account? */
|
||||||
|
BOOL machine_account;
|
||||||
};
|
};
|
||||||
|
@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
|
|||||||
/* ok, we are going to get it now, don't recurse back here */
|
/* ok, we are going to get it now, don't recurse back here */
|
||||||
cred->machine_account_pending = False;
|
cred->machine_account_pending = False;
|
||||||
|
|
||||||
|
/* some other parts of the system will key off this */
|
||||||
|
cred->machine_account = True;
|
||||||
|
|
||||||
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
|
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
|
||||||
/* Local secrets are stored in secrets.ldb */
|
/* Local secrets are stored in secrets.ldb */
|
||||||
ldb = secrets_db_connect(mem_ctx);
|
ldb = secrets_db_connect(mem_ctx);
|
||||||
|
@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
|
|||||||
|
|
||||||
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
|
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
|
||||||
|
|
||||||
|
/* If we are sending a username@realm login (see function
|
||||||
|
* above), then we will not send LM, it will not be
|
||||||
|
* accepted */
|
||||||
|
if (cred->principal_obtained > cred->username_obtained) {
|
||||||
|
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* Likewise if we are a machine account (avoid protocol downgrade attacks) */
|
||||||
|
if (cred->principal_obtained > cred->username_obtained) {
|
||||||
|
*flags = *flags & ~CLI_CRED_LANMAN_AUTH;
|
||||||
|
}
|
||||||
|
|
||||||
if (!nt_hash) {
|
if (!nt_hash) {
|
||||||
static const uint8_t zeros[16];
|
static const uint8_t zeros[16];
|
||||||
/* do nothing - blobs are zero length */
|
/* do nothing - blobs are zero length */
|
||||||
|
Loading…
Reference in New Issue
Block a user