diff options
author | Luke Leighton <lkcl@samba.org> | 1999-12-06 00:44:32 +0000 |
---|---|---|
committer | Luke Leighton <lkcl@samba.org> | 1999-12-06 00:44:32 +0000 |
commit | a0ba234cf9b40adf6b5390e4e67730163a42883f (patch) | |
tree | fea2f70b2ac98de4e2c7fd218e06ea7a38f2d04d /source3/lib/passcheck.c | |
parent | 7c53f158bab61bca704340ce70f4039a178d0fde (diff) | |
download | samba-a0ba234cf9b40adf6b5390e4e67730163a42883f.tar.gz samba-a0ba234cf9b40adf6b5390e4e67730163a42883f.tar.bz2 samba-a0ba234cf9b40adf6b5390e4e67730163a42883f.zip |
the first independent msrpc daemon - lsarpcd.
one horrible cut / paste job from smbd, plus a code split of shared
components between the two.
the job is not _yet_ complete, as i need to be able to do a become_user()
call for security reasons. i picked lsarpcd first because you don't
_need_ security on it (microsoft botched so badly on this one, it's not
real. at least they fixed this in nt5 with restrictanonymous=0x2).
fixing this involves sending the current smb and unix credentials down
the unix pipe so that the daemon it eventually goes to can pick them
up at the other end.
i can't believe this all worked!!!
(This used to be commit 2245b0c6d13c7c5886e81f9137b05df883598c26)
Diffstat (limited to 'source3/lib/passcheck.c')
-rw-r--r-- | source3/lib/passcheck.c | 289 |
1 files changed, 289 insertions, 0 deletions
diff --git a/source3/lib/passcheck.c b/source3/lib/passcheck.c new file mode 100644 index 0000000000..195a404ff3 --- /dev/null +++ b/source3/lib/passcheck.c @@ -0,0 +1,289 @@ +/* + Unix SMB/Netbios implementation. + Version 1.9. + Password and authentication handling + Copyright (C) Andrew Tridgell 1992-1998 + + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + + You should have received a copy of the GNU General Public License + along with this program; if not, write to the Free Software + Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA. +*/ + +#include "includes.h" + +extern int DEBUGLEVEL; +extern int Protocol; + +extern pstring scope; +extern pstring global_myname; +extern fstring global_myworkgroup; + + + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv1(char *password, unsigned char *part_passwd, + unsigned char *c8, + uchar sess_key[16]) +{ + /* Finish the encryption of part_passwd. */ + unsigned char p24[24]; + + if (part_passwd == NULL) + DEBUG(10,("No password set - allowing access\n")); + /* No password set - always true ! */ + if (part_passwd == NULL) + return True; + + SMBOWFencrypt(part_passwd, c8, p24); + if (sess_key != NULL) + { + SMBsesskeygen_ntv1(part_passwd, NULL, sess_key); + } + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, 24); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, p24, 24); +#endif + return (memcmp(p24, password, 24) == 0); +} + +/**************************************************************************** +core of smb password checking routine. +****************************************************************************/ +static BOOL smb_pwd_check_ntlmv2(char *password, size_t pwd_len, + unsigned char *part_passwd, + unsigned char const *c8, + const char *user, const char *domain, + char *sess_key) +{ + /* Finish the encryption of part_passwd. */ + unsigned char kr[16]; + unsigned char resp[16]; + + if (part_passwd == NULL) + { + DEBUG(10,("No password set - allowing access\n")); + } + /* No password set - always true ! */ + if (part_passwd == NULL) + { + return True; + } + + ntv2_owf_gen(part_passwd, user, domain, kr); + SMBOWFencrypt_ntv2(kr, c8, 8, password+16, pwd_len-16, resp); + if (sess_key != NULL) + { + SMBsesskeygen_ntv2(kr, resp, sess_key); + } + +#if DEBUG_PASSWORD + DEBUG(100,("Part password (P16) was |")); + dump_data(100, part_passwd, 16); + DEBUG(100,("Password from client was |")); + dump_data(100, password, pwd_len); + DEBUG(100,("Given challenge was |")); + dump_data(100, c8, 8); + DEBUG(100,("Value from encryption was |")); + dump_data(100, resp, 16); +#endif + + return (memcmp(resp, password, 16) == 0); +} + +/**************************************************************************** + Do a specific test for an smb password being correct, given a smb_password and + the lanman and NT responses. +****************************************************************************/ +BOOL smb_password_ok(struct smb_passwd *smb_pass, uchar challenge[8], + const char *user, const char *domain, + uchar *lm_pass, size_t lm_pwd_len, + uchar *nt_pass, size_t nt_pwd_len, + uchar sess_key[16]) +{ + if (smb_pass == NULL) + { + return False; + } + + DEBUG(4,("Checking SMB password for user %s\n", + smb_pass->unix_name)); + + if (smb_pass->acct_ctrl & ACB_DISABLED) + { + DEBUG(3,("account for user %s was disabled.\n", + smb_pass->unix_name)); + return False; + } + + if (challenge == NULL) + { + DEBUG(1,("no challenge available - password failed\n")); + return False; + } + + if ((Protocol >= PROTOCOL_NT1) && (smb_pass->smb_nt_passwd != NULL)) + { + /* We have the NT MD4 hash challenge available - see if we can + use it (ie. does it exist in the smbpasswd file). + */ + if (lp_server_ntlmv2() != False && nt_pwd_len > 24) + { + DEBUG(4,("smb_password_ok: Check NTLMv2 password\n")); + if (smb_pwd_check_ntlmv2(nt_pass, nt_pwd_len, + (uchar *)smb_pass->smb_nt_passwd, + challenge, user, domain, + sess_key)) + { + return True; + } + } + if (lp_server_ntlmv2() != True && nt_pwd_len == 24) + { + DEBUG(4,("smb_password_ok: Check NT MD4 password\n")); + if (smb_pwd_check_ntlmv1((char *)nt_pass, + (uchar *)smb_pass->smb_nt_passwd, + challenge, + sess_key)) + { + DEBUG(4,("NT MD4 password check succeeded\n")); + return True; + } + } + DEBUG(4,("NT MD4 password check failed\n")); + } + + if (lp_server_ntlmv2() == True) + { + DEBUG(4,("Not checking LM MD4 password\n")); + return False; + } + + /* Try against the lanman password. smb_pass->smb_passwd == NULL means + no password, allow access. */ + + DEBUG(4,("Checking LM MD4 password\n")); + + if ((smb_pass->smb_passwd == NULL) && + (smb_pass->acct_ctrl & ACB_PWNOTREQ)) + { + DEBUG(4,("no password required for user %s\n", + smb_pass->unix_name)); + return True; + } + + if ((smb_pass->smb_passwd != NULL) && + smb_pwd_check_ntlmv1((char *)lm_pass, + (uchar *)smb_pass->smb_passwd, + challenge, NULL)) + { + DEBUG(4,("LM MD4 password check succeeded\n")); + return(True); + } + + DEBUG(4,("LM MD4 password check failed\n")); + + return False; +} + + +/**************************************************************************** +check if a username/password is OK assuming the password is a 24 byte +SMB hash +return True if the password is correct, False otherwise +****************************************************************************/ +BOOL pass_check_smb(struct smb_passwd *smb_pass, char *domain, uchar *chal, + uchar *lm_pwd, size_t lm_pwd_len, + uchar *nt_pwd, size_t nt_pwd_len, + struct passwd *pwd, uchar user_sess_key[16]) +{ + const struct passwd *pass; + struct passwd pw; + char *user = NULL; + + if (smb_pass == NULL) + { + DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user)); + return False; + } + + user = smb_pass->unix_name; + + if (lm_pwd == NULL || nt_pwd == NULL) + { + return False; + } + + if (pwd != NULL && user == NULL) + { + pass = (struct passwd *) pwd; + user = pass->pw_name; + } + else + { + pass = Get_Pwnam(user,True); + if (pass == NULL) + { + DEBUG(3,("Couldn't find user %s\n",user)); + return False; + } + memcpy(&pw, pass, sizeof(struct passwd)); + pass = &pw; + } + + /* Quit if the account was disabled. */ + if (smb_pass->acct_ctrl & ACB_DISABLED) { + DEBUG(3,("account for user %s was disabled.\n", user)); + return False; + } + + /* Ensure the uid's match */ + if (smb_pass->unix_uid != pass->pw_uid) + { + DEBUG(3,("Error : UNIX (%d) and SMB (%d) uids in password files do not match !\n", pass->pw_uid, smb_pass->unix_uid)); + return False; + } + + if (lm_pwd[0] == '\0' && IS_BITS_SET_ALL(smb_pass->acct_ctrl, ACB_PWNOTREQ) && lp_null_passwords()) + { + DEBUG(3,("account for user %s has no password and null passwords are allowed.\n", smb_pass->unix_name)); + return(True); + } + + if (smb_password_ok(smb_pass, chal, user, domain, + lm_pwd, lm_pwd_len, + nt_pwd, nt_pwd_len, + user_sess_key)) + { + if (user_sess_key != NULL) + { +#ifdef DEBUG_PASSWORD + DEBUG(100,("user session key: ")); + dump_data(100, user_sess_key, 16); +#endif + } + return(True); + } + + DEBUG(3,("Error pass_check_smb failed\n")); + return False; +} + |