On Thu, Mar 02, 2006 at 09:52:47PM +0100, Mark Proehl wrote:
> On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> >
> > Mark Proehl wrote:
> >
> > > I am aware, that both hashes are equivalent to clear text passwords
> > > and must be protected therefore. But cracking passwords with tools
> > > like john is much faster, if the lm hashes are available, so i think
> > > there should be an option to disable them.
> >
> > If you use passwords >14 characters in length, I'm sure the
> > lanman hashes are not generated. I would need to dig through
> > the code to remember how to prevent them from being generated
> > in other scenarios. Maybe later.
>
> [EMAIL PROTECTED]:~> smbpasswd
> Old SMB password: [qwert123]
> New SMB password: [qwertzuiop12345]
> Retype new SMB password: [qwertzuiop12345]
> Password changed for user mark
> [EMAIL PROTECTED]:~> ldapsearch -LLL uid=mark sambaLMPassword
> sambaNTPassword
> SASL/GSSAPI authentication started
> SASL username: [EMAIL PROTECTED]
> SASL SSF: 56
> SASL installing layers
> dn: uid=mark,ou=people,dc=example,dc=com
> sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B
>
> [EMAIL PROTECTED]:~>
>
> cool! but forcing users to passwords > 14 chars is not that easy...
>
> are you shure that there is no other way to disable lanman hashes?
>
> Mark
I created a patch that introduces a new parameter "disable lanman hash"
(attached).
Is pdb_set_lanman_passwd in passdb/pdb_get_set.c the only function
that has to be modified?
Please tell me what you think about this patch.
Id did some testing and will do some more testing with this patch
tomorrow.
Mark
diff -Naur samba-3.0.21c.org/source/param/loadparm.c
samba-3.0.21c/source/param/loadparm.c
--- samba-3.0.21c.org/source/param/loadparm.c 2006-02-20 21:33:21.000000000
+0100
+++ samba-3.0.21c/source/param/loadparm.c 2006-03-02 22:15:26.148858000
+0100
@@ -279,6 +279,7 @@
BOOL bKernelOplocks;
BOOL bAllowTrustedDomains;
BOOL bLanmanAuth;
+ BOOL bDisableLanmanHash;
BOOL bNTLMAuth;
BOOL bUseSpnego;
BOOL bClientLanManAuth;
@@ -868,6 +869,7 @@
{"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync,
NULL, NULL, FLAG_ADVANCED},
{"restrict anonymous", P_INTEGER, P_GLOBAL,
&Globals.restrict_anonymous, NULL, NULL, FLAG_ADVANCED},
{"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL,
FLAG_ADVANCED},
+ {"disable lanman hash", P_BOOL, P_GLOBAL, &Globals.bDisableLanmanHash,
NULL, NULL, FLAG_ADVANCED},
{"ntlm auth", P_BOOL, P_GLOBAL, &Globals.bNTLMAuth, NULL, NULL,
FLAG_ADVANCED},
{"client NTLMv2 auth", P_BOOL, P_GLOBAL, &Globals.bClientNTLMv2Auth,
NULL, NULL, FLAG_ADVANCED},
{"client lanman auth", P_BOOL, P_GLOBAL, &Globals.bClientLanManAuth,
NULL, NULL, FLAG_ADVANCED},
@@ -1511,6 +1513,7 @@
Globals.bClientLanManAuth = True; /* Do use the LanMan hash if it
is available */
Globals.bClientPlaintextAuth = True; /* Do use a plaintext password
if is requested by the server */
Globals.bLanmanAuth = True; /* Do use the LanMan hash if it is
available */
+ Globals.bDisableLanmanHash = False;
Globals.bNTLMAuth = True; /* Do use NTLMv1 if it is available
(otherwise NTLMv2) */
Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as
we can't tell that the server supports it. */
/* Note, that we will use NTLM2 session security (which is different),
if it is available */
@@ -1852,6 +1855,7 @@
FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains)
FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
+FN_GLOBAL_BOOL(lp_disable_lanman_hash, &Globals.bDisableLanmanHash)
FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
diff -Naur samba-3.0.21c.org/source/passdb/pdb_get_set.c
samba-3.0.21c/source/passdb/pdb_get_set.c
--- samba-3.0.21c.org/source/passdb/pdb_get_set.c 2005-10-18
04:45:02.000000000 +0200
+++ samba-3.0.21c/source/passdb/pdb_get_set.c 2006-03-02 22:32:50.466762336
+0100
@@ -977,7 +977,7 @@
data_blob_clear_free(&sampass->private_u.lm_pw);
- if (pwd) {
+ if (pwd && !lp_disable_lanman_hash()) {
sampass->private_u.lm_pw = data_blob(pwd, LM_HASH_LEN);
} else {
sampass->private_u.lm_pw = data_blob(NULL, 0);
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
