Never send the LM response on cached credentials
jra at samba.org
Tue Aug 29 02:42:01 GMT 2006
On Tue, Aug 29, 2006 at 11:48:32AM +1000, Andrew Bartlett wrote:
> Have we progressed anywhere on this? I'm concerned that if we allow
> userspace applications to request a user's LM response, then it becomes
> very easy to crack a user's logon password.
> Likewise if we allow a userspace application to ask for an NT response,
> without NTLM2 or NTLMv2 negotiated.
Ok, we can restrict this in the winbindd side, as that is
what is creating the ntlmssp blob. If "no LM" is set in the
smb.conf, then winbindd won't return the easy to crack creds.
If it doesn't work that way, it's an easy fix to add, as
everything is centralized in winbindd for the "single sign on"
"cached credentials" code.
Does that make sense ?
More information about the samba-technical