Setting the session key in _net_sam_logon

[Andrew Bartlett]

Tim Potter wrote:
> 
> Andrew Bartlett writes:
> 
> > I was wondering if there is any reason not to set the session key in
> > _net_sam_logon?  (I refer to sess_key[16]).
> >
> > The AuthRewrite code calculates its value, but are there any stange
> > interactions I should be aware of if we start sending it on the wire?
> > (like sombody starting to use it, where we don't have the encryption
> > stuff done)?
> 
> Er, aren't there security implications of sending it over the
> wire?  I thought the session key was supposed to secure password
> information.
> 
> Tim.

It is encryped with the domain member's session key (as far as I can
tell from the TNG codebase)

In any case we need this for things like MSCHAPv2 to work on a domain
member, a critial peice of the server validation is based on this
session key.  Also, any 'interactive' logon has already sent the md4'ed
password across, protected only by the same domain member's key.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Samba Team member, Build Farm maintainer        abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net