summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2012-01-31 15:38:02 +1100
committerStefan Metzmacher <metze@samba.org>2012-02-17 10:48:09 +0100
commit98992b5b4eabb6c0727952e6cdb4fcfdced4583d (patch)
tree299d235c1d80a4687dc0af0614b50859161a2b30
parent82e3098e8490168733f492b6a5745a279494d4fe (diff)
downloadsamba-98992b5b4eabb6c0727952e6cdb4fcfdced4583d.tar.gz
samba-98992b5b4eabb6c0727952e6cdb4fcfdced4583d.tar.bz2
samba-98992b5b4eabb6c0727952e6cdb4fcfdced4583d.zip
s3-auth: Only allow LM_KEY cryptography when extra options are set
This crypto is incredibly poor, and can technically be enabled on an otherwise more secure connection that uses NTLM for the actual authentication leg. Therefore disable it by default. Andrew Bartlett Signed-off-by: Stefan Metzmacher <metze@samba.org>
-rw-r--r--source3/auth/auth_ntlmssp.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 36e74924ab..66d31d5f23 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -262,7 +262,12 @@ static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_secu
ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
- ntlmssp_state->allow_lm_key = lp_lanman_auth();
+ if (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) &&
+ gensec_setting_bool(gensec_security->settings,
+ "ntlmssp_server", "allow_lm_key", false))
+ {
+ ntlmssp_state->allow_lm_key = true;
+ }
ntlmssp_state->neg_flags =
NTLMSSP_NEGOTIATE_128 |