[Samba] samba 4.4.2 freeradius authentication with ntlm_auth
Andrew Bartlett
abartlet at samba.org
Fri Apr 15 22:11:25 UTC 2016
On Fri, 2016-04-15 at 17:48 -0400, Louis Munro wrote:
> > On Apr 15, 2016, at 15:06 , Andrew Bartlett <abartlet at samba.org>
> > wrote:
> >
> >
> > Yes, this really, really sucks. MSCHAPv2 is NTLM, not NTLMv2
> > based.
> > This is despite NTLMv2 being around when they 'designed' this
> > mechanism. Sadly no attempt has been made to somehow get an
> > MSCHAPv3
> > in that uses NTLMv2.
> >
> > On Windows, setting a special flag allows this horrible insecure
> > mechanism to work on networks that otherwise only allow NTLMv2.
> > Samba
> > does not honour that flag, but I guess I'm going to need to add a
> > 'ntlm_auth = only_for_mschapv2' setting.
> >
> > In short, MSCHAPv2 protects the network perimeter, yet has worse
> > security then you would dare to use even on a well-trusted network.
> >
> > I realise it is often over TLS, but as with another of our CVEs, we
> > know few clients check certificates, so this isn't any help.
> >
> > I've been in presentations where they said they could crack it in
> > 24
> > hours and $100 of could-compute time!
> >
> > I don't know of a good solution here.
> >
>
> Hi Andrew,
>
> Just to make sure I understand this thoroughly and that there is no
> ambiguity:
>
> I knew that MSCHAPv2 is easily broken these days.
> I also realize that in the case of FreeRADIUS the MSCHAPv2
> authentication terminates at the the radius server, inside a TLS
> tunnel.
Yes. The presentations I attended at kiwicon last year cast doubt on
the security of that from an active attacker (trivial for Wifi), but
yes, for passive monitoring it should be OK.
> The question for me then is how secure is the ntlmv1 going from
> FreeRADIUS (via winbind) to the Active Directory server?
> I am a bit afraid of the answer to be honest.
That is well protected in a modern winbindd. We require schannel to
encrypt this communication over the NETLOGON pipe.
> Should we start investing in IPsec for that part of the
> authentication?
There is no need for that specific element.
I hope this clarifies things,
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Samba Developer, Catalyst IT http://catalyst.net.nz/services/samba
More information about the samba
mailing list