sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-22 22:04:08 +03:00
Code
samba-mirror/source3/auth
History
Jeremy Allison 69abe0c2b0 CVE-2021-20251 s3: ensure bad password count atomic updates 
The bad password count is supposed to limit the number of failed login
attempt a user can make before being temporarily locked out, but race
conditions between processes have allowed determined attackers to make
many more than the specified number of attempts.  This is especially
bad on constrained or overcommitted hardware.

To fix this, once a bad password is detected, we reload the sam account
information under a user-specific mutex, ensuring we have an up to
date bad password count.

Discovered by Nathaniel W. Turner.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=14611

Signed-off-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
(cherry picked from commit 8587734bf989aeaafa9d09d78d0f381caf52d285)
2022-09-18 16:46:09 +00:00
..
auth_builtin.c
s3: safe_string: do not include string_wrappers.h
2020-08-28 00:56:34 +00:00
auth_generic.c
source3: move lib/substitute.c functions out of proto.h
2021-11-11 13:49:32 +00:00
auth_ntlmssp.c
source3: move lib/substitute.c functions out of proto.h
2021-11-11 13:49:32 +00:00
auth_sam.c
CVE-2020-25717: Add FreeIPA domain controller role
2021-11-09 19:45:33 +00:00
auth_samba4.c
CVE-2020-25717: s3:auth: start with authoritative = 1
2021-11-09 19:45:32 +00:00
auth_unix.c
auth: Fix a typo
2021-09-07 18:26:33 +00:00
auth_util.c
s3:auth: make_user_info_map() should not set mapped_state
2022-03-16 13:41:14 +00:00
auth_winbind.c
auth: Remove the "typedef auth_methods"
2020-01-06 01:47:30 +00:00
auth.c
CVE-2020-25717: Add FreeIPA domain controller role
2021-11-09 19:45:33 +00:00
check_samsec.c
CVE-2021-20251 s3: ensure bad password count atomic updates
2022-09-18 16:46:09 +00:00
pampass.c
s3: safe_string: do not include string_wrappers.h
2020-08-28 00:56:34 +00:00
pass_check.c
auth: Remove support for HAVE_TRUNCATED_SALT from pass_check.c
2014-04-15 12:32:09 +02:00
proto.h
CVE-2020-25717: s3:auth: simplify make_session_info_krb5() by removing unused arguments
2021-11-09 19:45:33 +00:00
server_info_sam.c
s3: auth: Andrew noticed f585f01148ab2d8f84c96b12e018742f5f17bcb0 doesn't keep the same logic.
2021-09-08 06:38:21 +00:00
server_info.c
auth3: Use talloc_move() instead of talloc_steal()
2021-04-19 18:18:31 +00:00
token_util.c
auth3: Align integer types
2021-03-16 17:09:32 +00:00
user_info.c
pdb: Reduce code duplication in make_user_info()
2018-10-09 01:22:53 +02:00
user_krb5.c
CVE-2020-25717: s3-auth: fix MIT Realm regression
2021-12-03 12:05:42 +00:00
user_util.c
Revert "s3:smbd: Remove NIS support"
2022-06-12 09:19:16 +00:00
wscript_build
s3:smbd: Remove NIS support
2021-04-22 17:57:30 +00:00