Never send the LM response on cached credentials

Andrew Bartlett abartlet at
Tue Aug 29 02:49:02 GMT 2006

On Mon, 2006-08-28 at 19:42 -0700, Jeremy Allison wrote:
> On Tue, Aug 29, 2006 at 11:48:32AM +1000, Andrew Bartlett wrote:
> > 
> > Have we progressed anywhere on this?  I'm concerned that if we allow
> > userspace applications to request a user's LM response, then it becomes
> > very easy to crack a user's logon password.
> > 
> > Likewise if we allow a userspace application to ask for an NT response,
> > without NTLM2 or NTLMv2 negotiated.  
> Ok, we can restrict this in the winbindd side, as that is
> what is creating the ntlmssp blob. If "no LM" is set in the
> smb.conf, then winbindd won't return the easy to crack creds.
> If it doesn't work that way, it's an easy fix to add, as
> everything is centralized in winbindd for the "single sign on"
> "cached credentials" code.
> Does that make sense ?

What I would like to do is have a higher standard for the cached
credentials (as they are being sent without prompting).  

I think it's poor that we send the plaintext or LM password (after
prompting the user), but we can't change that without breaking backward

However, for this new code and functionality, and given that we are
adding a new feature that operates automatically, without user
interaction, I would like a higher, more secure standard.

Andrew Bartlett

Andrew Bartlett                      
Authentication Developer, Samba Team 
Samba Developer, Red Hat Inc.        
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list