Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote: Now the users of admin users will not be locked. admin users not the appropriate choice here. Better would be the members of the 'domain admins' group. The interesting bit is finding this out at the right point in time... Yes, I agree with you. But until the privilege of domain admins does not work I can only use the admin users as the workaround to administrator's group. In attach is the new patch file. About lockout duration, I will implement next time. I think that we should extend another attribute to record the lockout time. We also need to check that the account policy has been set, and that it's not 0 (which I assume is the 'don't lock out' value). '0' means forever. we can always put the max number like 9.. to that. As soon as the user logon with the correct password the bad attempt count will be reset to 0. Also, I'm worried about the writes this will cause on the backend. An LDAP write can be quite expensive, and for the LDAP case this means that the master ldap server will be hit for every logon attempt. Yes, but I don't know how to implement it differently. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED]
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Now the users of Domain Admins will not be locked. But until we have not the right provilege for Domain Admins, I will continue to use the admin users for administrator's use (like add machine, user manager for domain...). In attach is the new patch. Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- auth_sam.c. Thu Mar 20 16:31:34 2003 +++ auth_sam.c.fix Mon Mar 31 17:23:09 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl ACB_AUTOLOCK) { + DEBUG(1,(Account for user '%s' was locked out.\n, pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,8 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; + GROUP_MAP map; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +456,45 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, account_policy_lockout); + if (!get_group_map_from_ntname(Domain Admins, map, MAPPING_WITHOUT_PRIV)) + DEBUG(1, (auth_sam.c: Failed to get groupmap for Domain Admins)); + if ((badpwattempt = account_policy_lockout) !user_in_list(user_info-internal_username.str, lp_admin_users(-1), NULL, 0) !user_in_group_list(user_info-internal_username.str, gidtoname(map.gid), NULL, 0)) + if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, (Failed to set 'disabled' flag for user % s. \n, + user_info-internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, +user_info-internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n)); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, (Failed to modify entry for user % s.\n, +user_info-internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,(check_sam_security: make_server_info_sam() failed with '%s'\n, nt_errstr(nt_status))); return nt_status;
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 23:55, Jianliang Lu wrote: Now the users of admin users will not be locked. admin users not the appropriate choice here. Better would be the members of the 'domain admins' group. The interesting bit is finding this out at the right point in time... In attach is the new patch file. About lockout duration, I will implement next time. I think that we should extend another attribute to record the lockout time. We also need to check that the account policy has been set, and that it's not 0 (which I assume is the 'don't lock out' value). Also, I'm worried about the writes this will cause on the backend. An LDAP write can be quite expensive, and for the LDAP case this means that the master ldap server will be hit for every logon attempt. Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Patch for Bad Password Attempt Lockout, samba3.0a22.
I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- samba-3.0alpha22-orig/source/auth/auth_sam.cMon Feb 17 16:31:06 2003 +++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fixThu Mar 27 12:40:10 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl ACB_AUTOLOCK) { + DEBUG(1,(Account for user '%s' was locked out.\n, pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,7 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +455,43 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, account_policy_lockout); + if (badpwattempt = account_policy_lockout) + if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, (Failed to set 'disabled' flag for user % s. \n, + user_info-internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, +user_info-internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n)); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, (Failed to modify entry for user % s.\n, +user_info-internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,(check_sam_security: make_server_info_sam() failed with '%s'\n, nt_errstr(nt_status))); return nt_status; --- samba-3.0alpha22-orig/source/passdb/passdb.cMon Feb 24 16:12:31 2003 +++ samba-3.0alpha22-orig/source/passdb/passdb.c.fixThu Mar 27 12:40:10 2003 @@ -60,6 +60,7 @@ memset(user-private.hours, 0xff, user-private.hours_len); /* available at all hours */ user-private.unknown_5 = 0x; /* don't know */ user-private.unknown_6 = 0x04ec; /* don't know */ + user-private.bad_pw_attempt = 0; /* bad password attemp count */ /* Some parts of samba strlen their pdb_get...() returns, so this keeps the interface unchanged for now. */ --- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003 +++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003 @@ -172,6 +172,14 @@ return (NULL); } +uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass) +{ + if (sampass) + return (sampass-private.bad_pw_attempt); + else + return (-1); +} + /** * Get flags showing what is initalised
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
Remember, this opens up a new vulnerability, to denial of service attacks. See, for example http://www.uksecurityonline.com/threat/password.php If you're implementing this, implement the approved strategy, also use by NT, of locking it for a settable period, and not locking out priveledged accounts. From http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html Account lockout duration Sets the number of minutes an account will be locked out. Allowable values are 0 (account is lockout out until administrator unlocks it) or between 1 and 9 minutes. WARNING: Setting this value to 0 (until administrator unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. --dave Jianliang Lu wrote: I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? Jianliang Lu TieSse s.p.a. Via Jervis, 60. 10015 Ivrea (To) - Italy [EMAIL PROTECTED] [EMAIL PROTECTED] --- samba-3.0alpha22-orig/source/auth/auth_sam.c Mon Feb 17 16:31:06 2003 +++ samba-3.0alpha22-orig/source/auth/auth_sam.c.fix Thu Mar 27 12:40:10 2003 @@ -326,6 +326,12 @@ return NT_STATUS_ACCOUNT_DISABLED; } + /* Quit if the account was locked out. */ + if (acct_ctrl ACB_AUTOLOCK) { + DEBUG(1,(Account for user '%s' was locked out.\n, pdb_get_username(sampass))); + return NT_STATUS_ACCOUNT_LOCKED_OUT; + } + /* Test account expire time */ kickoff_time = pdb_get_kickoff_time(sampass); @@ -414,6 +420,7 @@ NTSTATUS nt_status; uint8 user_sess_key[16]; const uint8* lm_hash; + uint32 account_policy_lockout, badpwattempt; if (!user_info || !auth_context) { return NT_STATUS_UNSUCCESSFUL; @@ -448,10 +455,43 @@ nt_status = sam_password_ok(auth_context, mem_ctx, sampass, user_info, user_sess_key); if (!NT_STATUS_IS_OK(nt_status)) { + if (NT_STATUS_EQUAL(nt_status,NT_STATUS_WRONG_PASSWORD)) { + badpwattempt = (uint32)pdb_get_bad_pw_attempt(sampass) + 1; + if (!pdb_set_bad_pw_attempt(sampass, badpwattempt, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + account_policy_get(AP_BAD_ATTEMPT_LOCKOUT, account_policy_lockout); + if (badpwattempt = account_policy_lockout) +if (!pdb_set_acct_ctrl (sampass, + pdb_get_acct_ctrl(sampass) |ACB_AUTOLOCK, + PDB_CHANGED)) { + DEBUG(1, (Failed to set 'disabled' flag for user % s. \n, + user_info-internal_username.str)); + } + + become_root(); + if (!pdb_update_sam_account(sampass)) { + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); +} + } pdb_free_sam(sampass); return nt_status; } + if (!pdb_set_bad_pw_attempt(sampass, 0, PDB_CHANGED)) + DEBUG(1, (Failed to set 'badPwAttempt' for user % s. \n, + user_info-internal_username.str)); + if (!pdb_set_logon_time(sampass, time(NULL), PDB_CHANGED)) + DEBUG(1, (auth_sam.c : pdb_set_logon_time fialed!\n)); + + become_root(); + if(!pdb_update_sam_account(sampass)) + DEBUG(1, (Failed to modify entry for user % s.\n, + user_info-internal_username.str)); + unbecome_root(); + if (!NT_STATUS_IS_OK(nt_status = make_server_info_sam(server_info, sampass))) { DEBUG(0,(check_sam_security: make_server_info_sam() failed with '%s'\n, nt_errstr(nt_status))); return nt_status; --- samba-3.0alpha22-orig/source/passdb/passdb.c Mon Feb 24 16:12:31 2003 +++ samba-3.0alpha22-orig/source/passdb/passdb.c.fix Thu Mar 27 12:40:10 2003 @@ -60,6 +60,7 @@ memset(user-private.hours, 0xff, user-private.hours_len); /* available at all hours */ user-private.unknown_5 = 0x; /* don't know */ user-private.unknown_6 = 0x04ec; /* don't know */ + user-private.bad_pw_attempt = 0; /* bad password attemp count */ /* Some parts of samba strlen their pdb_get...() returns, so this keeps the interface unchanged for now. */ --- samba-3.0alpha22-orig/source/passdb/pdb_get_set.c Thu Jan 9 20:05:59 2003 +++ samba-3.0alpha22-orig/source/passdb/pdb_get_set.c.fix Thu Mar 27 12:40:10 2003 @@ -172,6 +172,14 @@ return (NULL); } +uint32 pdb_get_bad_pw_attempt (const SAM_ACCOUNT *sampass) +{ + if (sampass) + return (sampass-private.bad_pw_attempt); + else + return (-1); +} + /** * Get flags showing
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 06:58, David Collier-Brown -- Customer Engineering wrote: Remember, this opens up a new vulnerability, to denial of service attacks. See, for example http://www.uksecurityonline.com/threat/password.php If you're implementing this, implement the approved strategy, also use by NT, of locking it for a settable period, and not locking out priveledged accounts. From http://calnetad.berkeley.edu/documentation/technical/uc_domain_policy.html Account lockout duration Sets the number of minutes an account will be locked out. Allowable values are 0 (account is lockout out until administrator unlocks it) or between 1 and 9 minutes. WARNING: Setting this value to 0 (until administrator unlocks) may allow a potential denial of service attack. It is important to note that the built-in Administrator account cannot be locked out. Once these issues are sorted, I'm inclined to apply this patch! Andrew Bartlett -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
You can already do that through pam_tally, what does your approach add ? Simo. On Thu, 2003-03-27 at 15:34, Jianliang Lu wrote: I have implemented the bad password attempt lockout policy. If an user attempt with the bad password more than the count setted in the policy, then his account will be auto-locked, like what did NT. The implementation is only for LDAP passdb backend. To do this, I have to introduce a new integer attribute in samba.schema, badPwAttempt. Folllowing are the patches, any comments? -- Simo Sorce- [EMAIL PROTECTED] Samba Team- http://www.samba.org Italian Site - http://samba.xsec.it
Re: Patch for Bad Password Attempt Lockout, samba3.0a22.
On Fri, 2003-03-28 at 07:40, Simo wrote: You can already do that through pam_tally, what does your approach add ? We can't correctly trigger pam_tally from the encrypted password check. Also, the pam_tally is dodgy - it doesn't correctly handle 'oh, they got it right'. (It makes assumptions about the way applications call PAM). Andrew, -- Andrew Bartlett [EMAIL PROTECTED] Manager, Authentication Subsystems, Samba Team [EMAIL PROTECTED] Student Network Administrator, Hawker College [EMAIL PROTECTED] http://samba.org http://build.samba.org http://hawkerc.net signature.asc Description: This is a digitally signed message part