Author: abartlet Date: 2005-10-31 00:23:38 +0000 (Mon, 31 Oct 2005) New Revision: 11401
WebSVN: http://websvn.samba.org/cgi-bin/viewcvs.cgi?view=rev&root=samba&rev=11401 Log: A simple hack to have our central credentials system deny sending LM authentication for [EMAIL PROTECTED] logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.c branches/SAMBA_4_0/source/auth/credentials/credentials.h branches/SAMBA_4_0/source/auth/credentials/credentials_files.c branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c Changeset: Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.c =================================================================== --- branches/SAMBA_4_0/source/auth/credentials/credentials.c 2005-10-30 10:39:52 UTC (rev 11400) +++ branches/SAMBA_4_0/source/auth/credentials/credentials.c 2005-10-31 00:23:38 UTC (rev 11401) @@ -52,6 +52,7 @@ cred->old_password = NULL; cred->smb_krb5_context = NULL; cred->salt_principal = NULL; + cred->machine_account = False; return cred; } Modified: branches/SAMBA_4_0/source/auth/credentials/credentials.h =================================================================== --- branches/SAMBA_4_0/source/auth/credentials/credentials.h 2005-10-30 10:39:52 UTC (rev 11400) +++ branches/SAMBA_4_0/source/auth/credentials/credentials.h 2005-10-31 00:23:38 UTC (rev 11401) @@ -84,4 +84,7 @@ * secrets.ldb when we are asked for a username or password */ BOOL machine_account_pending; + + /* Is this a machine account? */ + BOOL machine_account; }; Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_files.c =================================================================== --- branches/SAMBA_4_0/source/auth/credentials/credentials_files.c 2005-10-30 10:39:52 UTC (rev 11400) +++ branches/SAMBA_4_0/source/auth/credentials/credentials_files.c 2005-10-31 00:23:38 UTC (rev 11401) @@ -197,6 +197,9 @@ /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; + /* some other parts of the system will key off this */ + cred->machine_account = True; + mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); Modified: branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c =================================================================== --- branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c 2005-10-30 10:39:52 UTC (rev 11400) +++ branches/SAMBA_4_0/source/auth/credentials/credentials_ntlm.c 2005-10-31 00:23:38 UTC (rev 11401) @@ -56,6 +56,18 @@ cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); + /* If we are sending a [EMAIL PROTECTED] login (see function + * above), then we will not send LM, it will not be + * accepted */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + + /* Likewise if we are a machine account (avoid protocol downgrade attacks) */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + if (!nt_hash) { static const uint8_t zeros[16]; /* do nothing - blobs are zero length */