mirror of
https://github.com/samba-team/samba.git
synced 2024-12-22 13:34:15 +03:00
CVE-2022-37966 param: Add support for new option "kdc force enable rc4 weak session keys"
Pair-Programmed-With: Joseph Sutton <josephsutton@catalyst.net.nz> Signed-off-by: Andrew Bartlett <abartlet@samba.org> Signed-off-by: Joseph Sutton <josephsutton@catalyst.net.nz> Reviewed-by: Stefan Metzmacher <metze@samba.org>
This commit is contained in:
parent
d861d4eb28
commit
ee18bc29b8
@ -0,0 +1,24 @@
|
||||
<samba:parameter name="kdc force enable rc4 weak session keys"
|
||||
type="boolean"
|
||||
context="G"
|
||||
xmlns:samba="http://www.samba.org/samba/DTD/samba-doc">
|
||||
<description>
|
||||
<para>
|
||||
<constant>RFC8429</constant> declares that
|
||||
<constant>rc4-hmac</constant> Kerberos ciphers are weak and
|
||||
there are known attacks on Active Directory use of this
|
||||
cipher suite.
|
||||
</para>
|
||||
<para>
|
||||
However for compatibility with Microsoft Windows this option
|
||||
allows the KDC to assume that regardless of the value set in
|
||||
a service account's
|
||||
<constant>msDS-SupportedEncryptionTypes</constant> attribute
|
||||
that a <constant>rc4-hmac</constant> Kerberos session key (as distinct from the ticket key, as
|
||||
found in a service keytab) can be used if the potentially
|
||||
older client requests it.
|
||||
</para>
|
||||
</description>
|
||||
|
||||
<value type="default">no</value>
|
||||
</samba:parameter>
|
@ -3091,6 +3091,10 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx)
|
||||
"kdc default domain supported enctypes",
|
||||
"rc4-hmac aes256-cts-hmac-sha1-96-sk");
|
||||
|
||||
lpcfg_do_global_parameter(lp_ctx,
|
||||
"kdc force enable rc4 weak session keys",
|
||||
"no");
|
||||
|
||||
for (i = 0; parm_table[i].label; i++) {
|
||||
if (!(lp_ctx->flags[i] & FLAG_CMDLINE)) {
|
||||
lp_ctx->flags[i] |= FLAG_DEFAULT;
|
||||
|
@ -995,6 +995,7 @@ static void init_globals(struct loadparm_context *lp_ctx, bool reinit_globals)
|
||||
|
||||
Globals.kdc_default_domain_supported_enctypes =
|
||||
KERB_ENCTYPE_RC4_HMAC_MD5 | KERB_ENCTYPE_AES256_CTS_HMAC_SHA1_96_SK;
|
||||
Globals.kdc_force_enable_rc4_weak_session_keys = false;
|
||||
|
||||
/* Now put back the settings that were set with lp_set_cmdline() */
|
||||
apply_lp_set_cmdline();
|
||||
|
Loading…
Reference in New Issue
Block a user