[jcifs] authentication session concurrency
Michael B Allen
mba2000 at ioplex.com
Tue Oct 14 09:24:59 EST 2003
> There is (arguably) a replay hole in this design; since all
> authentications
> over the SMB connection use the same challenge, a man-in-the-middle could
> sniff the LM/NTLM responses and use them to his nefarious advantage.
One feature that might be worth considering later is if the
jcifs.smb.client.ssnLimit is reached, rather than closing sessions or in
addition to closing sessions, a new SmbTransport is created (and thus new
challenge) to replace the current transport for that target in the
transports table. The truely paranoid could set this limit to 1 in which
case every session get's it's own transport. I'll keep it in mind when I
get around to cleaning up/rethinking NetBIOS and SmbTransport. This sort
of feature might have also assisted with Marco's "only authenticate from
the workstation they are registered to" problem (although I think NETLOGON
is still the "proper" solution for that one).
Mike
--
A program should be written to model the concepts of the task it
performs rather than the physical world or a process because this
maximizes the potential for it to be applied to tasks that are
conceptually similar and, more important, to tasks that have not
yet been conceived.
More information about the jcifs
mailing list