diff options
| author | Jeremy Allison <jra@samba.org> | 2006-08-20 03:53:42 +0000 |
|---|---|---|
| committer | Gerald (Jerry) Carter <jerry@samba.org> | 2007-10-10 11:38:43 -0500 |
| commit | 4031af7606fc1c57aec4e48f9f24466e6164bc66 (patch) | |
| tree | 6a755c780ff3aa327e37b20b07025e119bd98473 /source3/nsswitch | |
| parent | b2d5dd7281805a25a86124d76dbc091fe12efff5 (diff) | |
| download | samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.tar.gz samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.tar.bz2 samba-4031af7606fc1c57aec4e48f9f24466e6164bc66.zip | |
r17617: Take Andrew Bartletts excellent advice and don't store
the nt hash directly in the winbindd cache, store a
salted version (MD5 of salt + nt_hash). This is what
we do in the LDAP password history code. We store
this salted cache entry under the same name as an old
entry (CRED/<sid>) but detect it on read by checking
if there are 17 bytes of data after the first stored
hash (1 byte len, 16 bytes hash). GD PLEASE CHECK.
Jeremy.
(This used to be commit 89d0163a97edaa46049406ea3e2152bee4e0d1b2)
Diffstat (limited to 'source3/nsswitch')
| -rw-r--r-- | source3/nsswitch/winbindd_cache.c | 44 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_creds.c | 5 | ||||
| -rw-r--r-- | source3/nsswitch/winbindd_pam.c | 24 |
3 files changed, 63 insertions, 10 deletions
diff --git a/source3/nsswitch/winbindd_cache.c b/source3/nsswitch/winbindd_cache.c index 865cf121b1..63c4bb58fc 100644 --- a/source3/nsswitch/winbindd_cache.c +++ b/source3/nsswitch/winbindd_cache.c @@ -47,6 +47,7 @@ struct cache_entry { }; #define WINBINDD_MAX_CACHE_SIZE (50*1024*1024) +#define WINBINDD_CACHE_VERSION "WB_CACHE_VERSION_1" static struct winbind_cache *wcache; @@ -874,11 +875,14 @@ NTSTATUS wcache_cached_creds_exist(struct winbindd_domain *domain, const DOM_SID return NT_STATUS_OK; } -/* Lookup creds for a SID */ +/* Lookup creds for a SID - copes with old (unsalted) creds as well + as new salted ones. */ + NTSTATUS wcache_get_creds(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *sid, - const uint8 **cached_nt_pass) + const uint8 **cached_nt_pass, + const uint8 **cached_salt) { struct winbind_cache *cache = get_cache(domain); struct cache_entry *centry = NULL; @@ -898,19 +902,37 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain, return NT_STATUS_INVALID_SID; } + /* Try and get a salted cred first. If we can't + fall back to an unsalted cred. */ + centry = wcache_fetch(cache, domain, "CRED/%s", sid_string_static(sid)); - if (!centry) { DEBUG(10,("wcache_get_creds: entry for [CRED/%s] not found\n", - sid_string_static(sid))); + sid_string_static(sid))); return NT_STATUS_OBJECT_NAME_NOT_FOUND; } t = centry_time(centry); + + /* In the salted case this isn't actually the nt_hash itself, + but the MD5 of the salt + nt_hash. Let the caller + sort this out. It can tell as we only return the cached_salt + if we are returning a salted cred. */ + *cached_nt_pass = (const uint8 *)centry_hash16(centry, mem_ctx); + /* We only have 17 bytes more data in the salted cred case. */ + if (centry->len - centry->ofs == 17) { + *cached_salt = (const uint8 *)centry_hash16(centry, mem_ctx); + } else { + *cached_salt = NULL; + } + #if DEBUG_PASSWORD - dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN); + dump_data(100, (const char *)*cached_nt_pass, NT_HASH_LEN); + if (*cached_salt) { + dump_data(100, (const char *)*cached_salt, NT_HASH_LEN); + } #endif status = centry->status; @@ -921,6 +943,8 @@ NTSTATUS wcache_get_creds(struct winbindd_domain *domain, return status; } +/* Store creds for a SID - only writes out new salted ones. */ + NTSTATUS wcache_save_creds(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *sid, @@ -929,6 +953,8 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, struct cache_entry *centry; fstring sid_string; uint32 rid; + uint8 cred_salt[NT_HASH_LEN]; + uint8 salted_hash[NT_HASH_LEN]; if (is_null_sid(sid)) { return NT_STATUS_INVALID_SID; @@ -948,7 +974,13 @@ NTSTATUS wcache_save_creds(struct winbindd_domain *domain, #endif centry_put_time(centry, time(NULL)); - centry_put_hash16(centry, nt_pass); + + /* Create a salt and then salt the hash. */ + generate_random_buffer(cred_salt, NT_HASH_LEN); + E_md5hash(cred_salt, nt_pass, salted_hash); + + centry_put_hash16(centry, salted_hash); + centry_put_hash16(centry, cred_salt); centry_end(centry, "CRED/%s", sid_to_string(sid_string, sid)); DEBUG(10,("wcache_save_creds: %s\n", sid_string)); diff --git a/source3/nsswitch/winbindd_creds.c b/source3/nsswitch/winbindd_creds.c index 414dd24af9..75d21353fd 100644 --- a/source3/nsswitch/winbindd_creds.c +++ b/source3/nsswitch/winbindd_creds.c @@ -31,12 +31,13 @@ NTSTATUS winbindd_get_creds(struct winbindd_domain *domain, TALLOC_CTX *mem_ctx, const DOM_SID *sid, NET_USER_INFO_3 **info3, - const uint8 *cached_nt_pass[NT_HASH_LEN]) + const uint8 *cached_nt_pass[NT_HASH_LEN], + const uint8 *cred_salt[NT_HASH_LEN]) { NET_USER_INFO_3 *info; NTSTATUS status; - status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass); + status = wcache_get_creds(domain, mem_ctx, sid, cached_nt_pass, cred_salt); if (!NT_STATUS_IS_OK(status)) { return status; } diff --git a/source3/nsswitch/winbindd_pam.c b/source3/nsswitch/winbindd_pam.c index 365b277160..8931b1373e 100644 --- a/source3/nsswitch/winbindd_pam.c +++ b/source3/nsswitch/winbindd_pam.c @@ -736,8 +736,10 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, enum SID_NAME_USE type; uchar new_nt_pass[NT_HASH_LEN]; const uint8 *cached_nt_pass; + const uint8 *cached_salt; NET_USER_INFO_3 *my_info3; time_t kickoff_time, must_change_time; + BOOL password_good = False; *info3 = NULL; @@ -768,7 +770,8 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, state->mem_ctx, &sid, &my_info3, - &cached_nt_pass); + &cached_nt_pass, + &cached_salt); if (!NT_STATUS_IS_OK(result)) { DEBUG(10,("winbindd_dual_pam_auth_cached: failed to get creds: %s\n", nt_errstr(result))); return result; @@ -781,9 +784,26 @@ NTSTATUS winbindd_dual_pam_auth_cached(struct winbindd_domain *domain, #if DEBUG_PASSWORD dump_data(100, (const char *)new_nt_pass, NT_HASH_LEN); dump_data(100, (const char *)cached_nt_pass, NT_HASH_LEN); + if (cached_salt) { + dump_data(100, (const char *)cached_salt, NT_HASH_LEN); + } #endif - if (!memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN)) { + if (cached_salt) { + /* In this case we didn't store the nt_hash itself, + but the MD5 combination of salt + nt_hash. */ + uchar salted_hash[NT_HASH_LEN]; + E_md5hash(cached_salt, new_nt_pass, salted_hash); + + password_good = (memcmp(cached_nt_pass, salted_hash, NT_HASH_LEN) == 0) ? + True : False; + } else { + /* Old cached cred - direct store of nt_hash (bad bad bad !). */ + password_good = (memcmp(cached_nt_pass, new_nt_pass, NT_HASH_LEN) == 0) ? + True : False; + } + + if (password_good) { /* User *DOES* know the password, update logon_time and reset * bad_pw_count */ |