[linux-cifs-client] Re: CaseInsensitivePassword
Rudi Chiarito
nutello at sweetness.com
Tue Nov 30 23:54:04 GMT 2004
On Mon, Nov 29, 2004 at 06:38:33PM -0600, Steven French wrote:
> So a theory is that your server's authentication configuration requires
> weak lanman passwords to be enabled. cifs vfs does not send the weak
> lanman passwords, smbfs and most windows client do send it by default does
> so it works. My reaction is that the security problems of lanman hash
I researched this some more and found something interesting. The smbfs
module does send both passwords, but they are identical - 24 byte long
binary strings. The result is that smbd sends a request with an user and
a password. The cifs module sends just one password, and it results in
smbd sending a request with the right user, but *NO PASSWORD*.
I haven't tried stepping through smbd at runtime, but I looked at
network traces and the smbd sources. The flow I have reconstructed is
this, with cifs:
1) I get this error
[2004/11/30 16:56:19, 1] auth/auth_server.c:check_smbserver_security(363)
password server SERVER rejected the password
That's almost at the end of check_smbserver_security, in the code path
where plaintext is NOT available.
2) Looking at cli_session_setup() in libsmb/cliconnect.c, execution must
proceed until the very end of the function, because:
a) the protocol is 8
b) the user has been supplied
c) server security is user level
d) server supports challenge/response
e) extended security is not supported
So, cli_session_setup_nt1 must be where things happen.
3) passlen should equal zero, because cifs only passes the NT password
(right?), so... smbd does "nothing - guest login", which is wrong.
Looking at the function's docs, it says:
@param pass *either* cleartext password (passlen !=24) or LM
response.
@param ntpass NT response, implies ntpasslen >=24, implies pass is
not clear
I am not sure if the above implies that when ntpass is not null, pass is
not null either.
I guess that's what is happening. I know now where things are going
wrong, but I am not sure if this should be fixed in cifs (by sending the
NTLM response in the LM response field like smbfs does - why does smbfs
do that?) or if smbd's cli_session_setup_nt1() should look also at
ntpasslen before deciding this is a guest login.
Comments?
--
Rudi
More information about the linux-cifs-client
mailing list