diff options
| author | Jeremy Allison <jra@samba.org> | 2006-08-20 03:53:42 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:38:43 -0500 |
| commit | 4031af7606fc1c57aec4e48f9f24466e6164bc66 (patch) | |
| tree | 6a755c780ff3aa327e37b20b07025e119bd98473 /source3/nsswitch/winbindd_pam.c | |
| parent | b2d5dd7281805a25a86124d76dbc091fe12efff5 (diff) | |
| download | samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.tar.gz samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.tar.bz2 samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.zip | |
r17617: Take Andrew Bartletts excellent advice and don't store
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
Diffstat (limited to 'source3/nsswitch/winbindd_pam.c')
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 24 |
1 files changed, 22 insertions, 2 deletions
diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 365b277160..8931b1373e 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -736,8 +736,10 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, enum SID_NAME_USE type; uchar new_nt_pass[NT_HASH_LEN]; const uint8 *cached_nt_pass; + const uint8 *cached_salt; NET_USER_INFO_3 *my_info3; time_t kickoff_time, must_change_time; + BOOL password_good = False; *info3 = NULL; @@ -768,7 +770,8 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, state->mem_ctx, &sid, &my_info3, - &cached_nt_pass); + &cached_nt_pass, + &cached_salt); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result))); return result; @@ -781,9 +784,26 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, #if DEBUG_PASSWORD dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN); dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN); + if (cached_salt) { + dump_data(100, (const char *)cached_salt, NT_HASH_LEN); + } #endif - if (!memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN)) { + if (cached_salt) { + /* In this case we didn't store the nt_hash itself, + but the MD5 combination of salt + nt_hash. */ + uchar salted_hash[NT_HASH_LEN]; + E_md5hash(cached_salt, new_nt_pass, salted_hash); + + password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ? + True : False; + } else { + /* Old cached cred - direct store of nt_hash (bad bad bad !). */ + password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ? + True : False; + } + + if (password_good) { /* User *DOES* know the password, update logon_time and reset * bad_pw_count */ |