Setting the session key in _net_sam_logon
Andrew Bartlett
abartlet at pcug.org.au
Fri Oct 5 20:27:02 GMT 2001
Tim Potter wrote:
>
> Andrew Bartlett writes:
>
> > I was wondering if there is any reason not to set the session key in
> > _net_sam_logon? (I refer to sess_key[16]).
> >
> > The AuthRewrite code calculates its value, but are there any stange
> > interactions I should be aware of if we start sending it on the wire?
> > (like sombody starting to use it, where we don't have the encryption
> > stuff done)?
>
> Er, aren't there security implications of sending it over the
> wire? I thought the session key was supposed to secure password
> information.
>
> Tim.
It is encryped with the domain member's session key (as far as I can
tell from the TNG codebase)
In any case we need this for things like MSCHAPv2 to work on a domain
member, a critial peice of the server validation is based on this
session key. Also, any 'interactive' logon has already sent the md4'ed
password across, protected only by the same domain member's key.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Samba Team member, Build Farm maintainer abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
More information about the samba-technical
mailing list