summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAndrew Bartlett <abartlet@samba.org>2005-10-31 00:23:38 +0000
committerGerald (Jerry) Carter <jerry@samba.org>2007-10-10 13:45:31 -0500
commitcfa2adf04017c9491d4cc6a69a0bbd4869061b6d (patch)
tree48606e66d038e118bb613ad86cc5c3fe1f58438e
parentfb2bceea6e2d44f86f014a2d969591f462ee27bc (diff)
downloadsamba-cfa2adf04017c9491d4cc6a69a0bbd4869061b6d.tar.gz
samba-cfa2adf04017c9491d4cc6a69a0bbd4869061b6d.tar.bz2
samba-cfa2adf04017c9491d4cc6a69a0bbd4869061b6d.zip
r11401: A simple hack to have our central credentials system deny sending LM
authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46)
-rw-r--r--source4/auth/credentials/credentials.c1
-rw-r--r--source4/auth/credentials/credentials.h3
-rw-r--r--source4/auth/credentials/credentials_files.c3
-rw-r--r--source4/auth/credentials/credentials_ntlm.c12
4 files changed, 19 insertions, 0 deletions
diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c
index c07f0f6c6a..5d2c5c553e 100644
--- a/source4/auth/credentials/credentials.c
+++ b/source4/auth/credentials/credentials.c
@@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx)
cred->old_password = NULL;
cred->smb_krb5_context = NULL;
cred->salt_principal = NULL;
+ cred->machine_account = False;
return cred;
}
diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h
index b43ddbbe89..b85337bd18 100644
--- a/source4/auth/credentials/credentials.h
+++ b/source4/auth/credentials/credentials.h
@@ -84,4 +84,7 @@ struct cli_credentials {
* secrets.ldb when we are asked for a username or password */
BOOL machine_account_pending;
+
+ /* Is this a machine account? */
+ BOOL machine_account;
};
diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c
index cdf38dcfa8..35bbc43b34 100644
--- a/source4/auth/credentials/credentials_files.c
+++ b/source4/auth/credentials/credentials_files.c
@@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred,
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = False;
+ /* some other parts of the system will key off this */
+ cred->machine_account = True;
+
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c
index 8540d07305..6a8b284e78 100644
--- a/source4/auth/credentials/credentials_ntlm.c
+++ b/source4/auth/credentials/credentials_ntlm.c
@@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
+ /* If we are sending a username@realm login (see function
+ * above), then we will not send LM, it will not be
+ * accepted */
+ if (cred->principal_obtained > cred->username_obtained) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+
+ /* Likewise if we are a machine account (avoid protocol downgrade attacks) */
+ if (cred->principal_obtained > cred->username_obtained) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+
if (!nt_hash) {
static const uint8_t zeros[16];
/* do nothing - blobs are zero length */