samba.git/libcli/auth/ntlm_check.c, branch talloc-2.2.0 Unnamed repository; edit this file 'description' to name the repository. libcli:auth: Only use the required md4 header 2019-02-27T07:59:27+00:00 Andreas Schneider asn@samba.org 2019-02-27T07:02:24+00:00 a1a005cb52e6890d35f9bdb856d47bf01c8b752f Signed-off-by: Andreas Schneider <asn@samba.org> Reviewed-by: Volker Lendecke <vl@samba.org> 
Signed-off-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Volker Lendecke <vl@samba.org>
CVE-2018-1139 libcli/auth: Do not allow ntlmv1 over SMB1 when it is disabled via "ntlm auth". 2018-08-14T11:57:15+00:00 Günther Deschner gd@samba.org 2018-03-13T15:56:20+00:00 c25460ee1f1b10bf69eaaf1ac937da225854d1d1 This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0. Found by Vivek Das <vdas@redhat.com> (Red Hat QE). In order to demonstrate simply run: smbclient //server/share -U user%password -mNT1 -c quit \ --option="client ntlmv2 auth"=no \ --option="client use spnego"=no against a server that uses "ntlm auth = ntlmv2-only" (our default setting). BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Pair-Programmed-With: Stefan Metzmacher <metze@samba.org> Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
This fixes a regression that came in via 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0.

Found by Vivek Das <vdas@redhat.com> (Red Hat QE).

In order to demonstrate simply run:

smbclient //server/share -U user%password -mNT1 -c quit \
--option="client ntlmv2 auth"=no \
--option="client use spnego"=no

against a server that uses "ntlm auth = ntlmv2-only" (our default
setting).

BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Pair-Programmed-With: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
CVE-2018-1139 libcli/auth: fix debug messages in hash_password_check() 2018-08-14T11:57:15+00:00 Günther Deschner gd@samba.org 2018-03-14T14:36:05+00:00 1d89fe91a7336950b1ba84b8680f015e228047f5 BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360 CVE-2018-1139: Weak authentication protocol allowed. Guenther Signed-off-by: Guenther Deschner <gd@samba.org> Reviewed-by: Andreas Schneider <asn@samba.org> Reviewed-by: Jeremy Allison <jra@samba.org> Reviewed-by: Gary Lockyer <gary@catalyst.net.nz> 
BUG: https://bugzilla.samba.org/show_bug.cgi?id=13360

CVE-2018-1139: Weak authentication protocol allowed.

Guenther

Signed-off-by: Guenther Deschner <gd@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
Reviewed-by: Jeremy Allison <jra@samba.org>
Reviewed-by: Gary Lockyer <gary@catalyst.net.nz>
param: Add new "disabled" value to "ntlm auth" to disable NTLM totally 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T02:16:50+00:00 00db3aba6cf9ebaafdf39ee2f9c7ba5ec2281ea0 Signed-off-by: Andrew Bartlett <abartlet@samba.org> BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923 Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
Signed-off-by: Andrew Bartlett <abartlet@samba.org>
BUG: https://bugzilla.samba.org/show_bug.cgi?id=11923
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
auth: Allow NTLMv1 if MSV1_0_ALLOW_MSVCHAPV2 is given and re-factor 'ntlm auth =' 2017-07-04T04:57:20+00:00 Andrew Bartlett abartlet@samba.org 2017-07-03T00:11:51+00:00 d139d77ae3dbc490525ac94f46276d790bc2d879 The ntlm auth parameter is expanded to more clearly describe the role of each option, and to allow the new mode that permits MSCHAPv2 (as declared by the client over the NETLOGON protocol) while still banning NTLMv1. BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252 Signed-off-by: Andrew Bartlett <abartlet@samba.org> Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>: Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth") added the --allow-mschapv2 option, but didn't implement checking for it server-side. This implements such checking. Additionally, Samba now disables NTLMv1 authentication by default for security reasons. To avoid having to re-enable it globally, 'ntlm auth' becomes an enum and a new setting is added to allow only MSCHAPv2. Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt> Reviewed-by: Garming Sam <garming@catalyst.net.nz> 
The ntlm auth parameter is expanded to more clearly describe the
role of each option, and to allow the new mode that permits MSCHAPv2
(as declared by the client over the NETLOGON protocol) while
still banning NTLMv1.

BUG: https://bugzilla.samba.org/show_bug.cgi?id=12252
Signed-off-by: Andrew Bartlett <abartlet@samba.org>

Based on a patch by Mantas Mikulėnas <mantas@utenos-kolegija.lt>:

Commit 0b500d413c5b ("Added MSV1_0_ALLOW_MSVCHAPV2 flag to ntlm_auth")
added the --allow-mschapv2 option, but didn't implement checking for it
server-side. This implements such checking.

Additionally, Samba now disables NTLMv1 authentication by default for
security reasons. To avoid having to re-enable it globally, 'ntlm auth'
becomes an enum and a new setting is added to allow only MSCHAPv2.

Signed-off-by: Mantas Mikulėnas <mantas@utenos-kolegija.lt>
Reviewed-by: Garming Sam <garming@catalyst.net.nz>
libcli: Use "all_zero" where appropriate 2017-01-03T15:04:28+00:00 Volker Lendecke vl@samba.org 2016-12-31T12:45:51+00:00 38884b2b2b08d54311d3b927900c5a9b071f8a5e ... Saves a few bytes of footprint Signed-off-by: Volker Lendecke <vl@samba.org> Reviewed-by: Ralph Boehme <slow@samba.org> 
... Saves a few bytes of footprint

Signed-off-by: Volker Lendecke <vl@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Typo: s/preceeded/preceded/ 2014-04-14T01:51:15+00:00 Jelmer Vernooij jelmer@samba.org 2014-03-30T02:01:06+00:00 e0cddcd5c44a22a36a156079f8546d3b8e7ee0c1 Caught by lintian, the Debian package linter :) Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227 Reviewed-on: https://gerrit.samba.org/216 Reviewed-by: Andrew Bartlett <abartlet@samba.org> Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org> Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104 
Caught by lintian, the Debian package linter :)

Change-Id: Ia7162ea8c2b1845155345526b66d71ae64f15227
Reviewed-on: https://gerrit.samba.org/216
Reviewed-by: Andrew Bartlett <abartlet@samba.org>

Autobuild-User(master): Jelmer Vernooij <jelmer@samba.org>
Autobuild-Date(master): Mon Apr 14 03:51:15 CEST 2014 on sn-devel-104
Remove useless bool "upper_case_domain" parameter from ntv2_owf_gen(). 2012-08-24T19:39:41+00:00 Jeremy Allison jra@samba.org 2012-08-23T23:02:09+00:00 aca444cbfc495831ab0a265214ed48be74560bf2 The code in SMBNTLMv2encrypt_hash() should not be requesting case changes on the domain name. Autobuild-User(master): Jeremy Allison <jra@samba.org> Autobuild-Date(master): Fri Aug 24 21:39:42 CEST 2012 on sn-devel-104 
The code in SMBNTLMv2encrypt_hash() should not be requesting case
changes on the domain name.

Autobuild-User(master): Jeremy Allison <jra@samba.org>
Autobuild-Date(master): Fri Aug 24 21:39:42 CEST 2012 on sn-devel-104
Remove useless bool "upper_case_domain" parameter. 2012-08-24T17:57:11+00:00 Jeremy Allison jra@samba.org 2012-08-23T22:59:54+00:00 cbdf6c5c5135ce7d14ceff5d12b99428f4285e13 






Move uppercasing the domain out of smb_pwd_check_ntlmv2()
2012-08-24T17:57:01+00:00

Jeremy Allison
jra@samba.org

2012-08-23T22:46:16+00:00

43870fb2c83c0fc70fb84b48dffe8f93bacf43c9

Allows us to remove a silly bool parameter.

Based on work done by "Blohm, Guntram (I/FP-37, extern)" <extern.guntram.blohm@audi.de>.





Allows us to remove a silly bool parameter.

Based on work done by "Blohm, Guntram (I/FP-37, extern)" <extern.guntram.blohm@audi.de>.