Force NTLMv2 only on our server? (was: Re: krb5 vulnerability ?)
Andreas Schneider
asn at samba.org
Tue Dec 15 07:26:50 UTC 2015
On Monday 14 December 2015 20:53:23 Jeremy Allison wrote:
> On Tue, Dec 15, 2015 at 03:38:19PM +1300, Andrew Bartlett wrote:
> > On Mon, 2015-12-14 at 17:34 -0800, Jeremy Allison wrote:
> > > On Mon, Dec 14, 2015 at 05:17:59PM -0800, Jeremy Allison wrote:
> > > > Interesting post here:
> > > >
> > > > http://dfir-blog.com/2015/12/13/protecting-windows-networks-kerbero
> > > > s-attacks/
> > > >
> > > > Still reading it myself to try and understand
> > > > if it's a real issue of not, but thought the
> > > > list would be interested.
> > >
> > > Hmmm. Doesn't look real as far as I can see
> > > (the article is full of hyperbole).
> > >
> > > It's got lots of phrases like:
> > >
> > > "So, if we have an access to the key.."
> > >
> > > "if we’re able to steal those tickets and somehow
> > > insert them into our own system"
> > >
> > > "It’s just an account in domain controller
> > > database, so your obviously need access to DC or it’s data."
> > >
> > > So looks like a "if we can break the security
> > > then we've broken the security" article :-).
> > >
> > > Move along, nothing to see here, sorry for
> > > the noise.
> >
> > More of a worry is that per one of the talks at KiwiCon, cracking an
> > NTLM (not NTLMv2) response is down to $100 and 8 hours on a cloud
> > computing provider. That gives you the NT hash, which you can of
> > course use to get a krb5 ticket, or just do NTLM logins.
> >
> > I think we should disable NTLM (when not NTLMv2) for 4.4 by default,
> > possibly with an optional exception for MSCHAPv2.
>
> +1 from me. NTLM has gone the way of DES now....
You are aware that Samba with Heimdal Kerberos does RC4 by default?
We fixed serveral bugs (e.g. wrong saltPrincipal) in the Samba source code
because MIT Kerberos uses AES and Samba was not able to deal with it. It still
fails to do so without patches from my MIT Kerberos work in progress tree ...
-- andreas
--
Andreas Schneider GPG-ID: CC014E3D
Samba Team asn at samba.org
www.samba.org
More information about the samba-technical
mailing list