Never send the LM response on cached credentials

Andrew Bartlett abartlet at
Sun Aug 20 02:02:17 GMT 2006

On Sat, 2006-08-19 at 14:50 -0700, Jeremy Allison wrote:
> On Sun, Aug 20, 2006 at 07:49:25AM +1000, Andrew Bartlett wrote:
> > 
> > We never need the LM hash.  Indeed, we could perfectly safely modify the
> > NTLMSSP code to never send the LM response.
> There are some places in the code where the lm hash is used.

My point is that in 2006, I do not think there are any situations where
a cached credential can be used, but an NT password is not available.

A cached credential implies that we are talking to a DC, and any DC
these days has an NT password, so sending the LM password only exposes
weaknesses in that hash.  This is also what Firefox *always* does (it
never sends an LM response from it's builtin NTLMSSP code).  

In protocol terms, we typically place the NT response in that position
in the session setup or NTLMSSP packets.

For a stronger solution, we could avoid various attacks on the user's
password by insisting that *either* NTLM2 is used, or NTLMv2 is used.
We could even make NTLMv2 the default:  it would make us much more
secure (and not be a loss in functionality, as we are adding additional
functionality at this point).

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list