From 98992b5b4eabb6c0727952e6cdb4fcfdced4583d Mon Sep 17 00:00:00 2001
From: Andrew Bartlett <abartlet@samba.org>
Date: Tue, 31 Jan 2012 15:38:02 +1100
Subject: s3-auth: Only allow LM_KEY cryptography when extra options are set

This crypto is incredibly poor, and can technically be enabled on an otherwise more
secure connection that uses NTLM for the actual authentication leg.  Therefore
disable it by default.

Andrew Bartlett

Signed-off-by: Stefan Metzmacher <metze@samba.org>
---
 source3/auth/auth_ntlmssp.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

(limited to 'source3/auth/auth_ntlmssp.c')

diff --git a/source3/auth/auth_ntlmssp.c b/source3/auth/auth_ntlmssp.c
index 36e74924ab..66d31d5f23 100644
--- a/source3/auth/auth_ntlmssp.c
+++ b/source3/auth/auth_ntlmssp.c
@@ -262,7 +262,12 @@ static NTSTATUS gensec_ntlmssp3_server_start(struct gensec_security *gensec_secu
 
 	ntlmssp_state->expected_state = NTLMSSP_NEGOTIATE;
 
-	ntlmssp_state->allow_lm_key = lp_lanman_auth();
+	if (lpcfg_lanman_auth(gensec_security->settings->lp_ctx) &&
+	    gensec_setting_bool(gensec_security->settings,
+				"ntlmssp_server", "allow_lm_key", false))
+	{
+		ntlmssp_state->allow_lm_key = true;
+	}
 
 	ntlmssp_state->neg_flags =
 		NTLMSSP_NEGOTIATE_128 |
-- 
cgit