From cfa2adf04017c9491d4cc6a69a0bbd4869061b6d Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 31 Oct 2005 00:23:38 +0000 Subject: r11401: A simple hack to have our central credentials system deny sending LM authentication for user@realm logins and machine account logins. This should avoid various protocol downgrade attacks. Andrew Bartlett (This used to be commit 76c2d204d0a1ec66d1ef3c935688c7571b051f46) --- source4/auth/credentials/credentials.c | 1 + source4/auth/credentials/credentials.h | 3 +++ source4/auth/credentials/credentials_files.c | 3 +++ source4/auth/credentials/credentials_ntlm.c | 12 ++++++++++++ 4 files changed, 19 insertions(+) (limited to 'source4/auth/credentials') diff --git a/source4/auth/credentials/credentials.c b/source4/auth/credentials/credentials.c index c07f0f6c6a..5d2c5c553e 100644 --- a/source4/auth/credentials/credentials.c +++ b/source4/auth/credentials/credentials.c @@ -52,6 +52,7 @@ struct cli_credentials *cli_credentials_init(TALLOC_CTX *mem_ctx) cred->old_password = NULL; cred->smb_krb5_context = NULL; cred->salt_principal = NULL; + cred->machine_account = False; return cred; } diff --git a/source4/auth/credentials/credentials.h b/source4/auth/credentials/credentials.h index b43ddbbe89..b85337bd18 100644 --- a/source4/auth/credentials/credentials.h +++ b/source4/auth/credentials/credentials.h @@ -84,4 +84,7 @@ struct cli_credentials { * secrets.ldb when we are asked for a username or password */ BOOL machine_account_pending; + + /* Is this a machine account? */ + BOOL machine_account; }; diff --git a/source4/auth/credentials/credentials_files.c b/source4/auth/credentials/credentials_files.c index cdf38dcfa8..35bbc43b34 100644 --- a/source4/auth/credentials/credentials_files.c +++ b/source4/auth/credentials/credentials_files.c @@ -197,6 +197,9 @@ static NTSTATUS cli_credentials_set_secrets(struct cli_credentials *cred, /* ok, we are going to get it now, don't recurse back here */ cred->machine_account_pending = False; + /* some other parts of the system will key off this */ + cred->machine_account = True; + mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password"); /* Local secrets are stored in secrets.ldb */ ldb = secrets_db_connect(mem_ctx); diff --git a/source4/auth/credentials/credentials_ntlm.c b/source4/auth/credentials/credentials_ntlm.c index 8540d07305..6a8b284e78 100644 --- a/source4/auth/credentials/credentials_ntlm.c +++ b/source4/auth/credentials/credentials_ntlm.c @@ -56,6 +56,18 @@ NTSTATUS cli_credentials_get_ntlm_response(struct cli_credentials *cred, TALLOC_ cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain); + /* If we are sending a username@realm login (see function + * above), then we will not send LM, it will not be + * accepted */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + + /* Likewise if we are a machine account (avoid protocol downgrade attacks) */ + if (cred->principal_obtained > cred->username_obtained) { + *flags = *flags & ~CLI_CRED_LANMAN_AUTH; + } + if (!nt_hash) { static const uint8_t zeros[16]; /* do nothing - blobs are zero length */ -- cgit