[Samba] getting rid of lmhashes?

Mark Proehl M.Proehl at science-computing.de
Thu Mar 2 21:50:37 GMT 2006


On Thu, Mar 02, 2006 at 09:52:47PM +0100, Mark Proehl wrote:
> On Thu, Mar 02, 2006 at 02:35:50PM -0600, Gerald (Jerry) Carter wrote:
> > -----BEGIN PGP SIGNED MESSAGE-----
> > Hash: SHA1
> > 
> > Mark Proehl wrote:
> > 
> > > I am aware, that both hashes are equivalent to clear text passwords
> > > and must be protected therefore. But cracking passwords with tools
> > > like john is much faster, if the lm hashes are available, so i think
> > > there should be an option to disable them.
> > 
> > If you use passwords >14 characters in length, I'm sure the
> > lanman hashes are not generated.  I would need to dig through
> > the code to remember how to prevent them from being generated
> > in other scenarios.  Maybe later.
> 
>   mark at myhost:~> smbpasswd
>   Old SMB password: [qwert123]
>   New SMB password: [qwertzuiop12345]
>   Retype new SMB password: [qwertzuiop12345]
>   Password changed for user mark
>   mark at myhost:~> ldapsearch -LLL  uid=mark sambaLMPassword sambaNTPassword
>   SASL/GSSAPI authentication started
>   SASL username: mark at EXAMPLE.COM
>   SASL SSF: 56
>   SASL installing layers
>   dn: uid=mark,ou=people,dc=example,dc=com
>   sambaNTPassword: 1A1B11A0FE8352FB618F1B59A7CA3D2B
>   
>   mark at myhost:~> 
>  
> cool! but forcing users to passwords > 14 chars is not that easy...
> 
> are you shure that there is no other way to disable lanman hashes?
> 
> Mark

I created a patch that introduces a new parameter "disable lanman hash"
(attached). 

Is pdb_set_lanman_passwd in passdb/pdb_get_set.c the only function
that has to be modified?

Please tell me what you think about this patch.

Id did some testing and will do some more testing with this patch
tomorrow.

Mark
-------------- next part --------------
diff -Naur samba-3.0.21c.org/source/param/loadparm.c samba-3.0.21c/source/param/loadparm.c
--- samba-3.0.21c.org/source/param/loadparm.c	2006-02-20 21:33:21.000000000 +0100
+++ samba-3.0.21c/source/param/loadparm.c	2006-03-02 22:15:26.148858000 +0100
@@ -279,6 +279,7 @@
 	BOOL bKernelOplocks;
 	BOOL bAllowTrustedDomains;
 	BOOL bLanmanAuth;
+	BOOL bDisableLanmanHash;
 	BOOL bNTLMAuth;
 	BOOL bUseSpnego;
 	BOOL bClientLanManAuth;
@@ -868,6 +869,7 @@
 	{"unix password sync", P_BOOL, P_GLOBAL, &Globals.bUnixPasswdSync, NULL, NULL, FLAG_ADVANCED}, 
 	{"restrict anonymous", P_INTEGER, P_GLOBAL, &Globals.restrict_anonymous, NULL, NULL, FLAG_ADVANCED}, 
 	{"lanman auth", P_BOOL, P_GLOBAL, &Globals.bLanmanAuth, NULL, NULL, FLAG_ADVANCED}, 
+	{"disable lanman hash", P_BOOL, P_GLOBAL, &Globals.bDisableLanmanHash, NULL, NULL, FLAG_ADVANCED}, 
 	{"ntlm auth", P_BOOL, P_GLOBAL, &Globals.bNTLMAuth, NULL, NULL, FLAG_ADVANCED}, 
 	{"client NTLMv2 auth", P_BOOL, P_GLOBAL, &Globals.bClientNTLMv2Auth, NULL, NULL, FLAG_ADVANCED}, 
 	{"client lanman auth", P_BOOL, P_GLOBAL, &Globals.bClientLanManAuth, NULL, NULL, FLAG_ADVANCED}, 
@@ -1511,6 +1513,7 @@
 	Globals.bClientLanManAuth = True;	/* Do use the LanMan hash if it is available */
 	Globals.bClientPlaintextAuth = True;	/* Do use a plaintext password if is requested by the server */
 	Globals.bLanmanAuth = True;	/* Do use the LanMan hash if it is available */
+	Globals.bDisableLanmanHash = False;
 	Globals.bNTLMAuth = True;	/* Do use NTLMv1 if it is available (otherwise NTLMv2) */
 	Globals.bClientNTLMv2Auth = False; /* Client should not use NTLMv2, as we can't tell that the server supports it. */
 	/* Note, that we will use NTLM2 session security (which is different), if it is available */
@@ -1852,6 +1855,7 @@
 FN_GLOBAL_BOOL(lp_allow_trusted_domains, &Globals.bAllowTrustedDomains)
 FN_GLOBAL_INTEGER(lp_restrict_anonymous, &Globals.restrict_anonymous)
 FN_GLOBAL_BOOL(lp_lanman_auth, &Globals.bLanmanAuth)
+FN_GLOBAL_BOOL(lp_disable_lanman_hash, &Globals.bDisableLanmanHash)
 FN_GLOBAL_BOOL(lp_ntlm_auth, &Globals.bNTLMAuth)
 FN_GLOBAL_BOOL(lp_client_plaintext_auth, &Globals.bClientPlaintextAuth)
 FN_GLOBAL_BOOL(lp_client_lanman_auth, &Globals.bClientLanManAuth)
diff -Naur samba-3.0.21c.org/source/passdb/pdb_get_set.c samba-3.0.21c/source/passdb/pdb_get_set.c
--- samba-3.0.21c.org/source/passdb/pdb_get_set.c	2005-10-18 04:45:02.000000000 +0200
+++ samba-3.0.21c/source/passdb/pdb_get_set.c	2006-03-02 22:32:50.466762336 +0100
@@ -977,7 +977,7 @@
 
 	data_blob_clear_free(&sampass->private_u.lm_pw);
 	
-       if (pwd) {
+       if (pwd && !lp_disable_lanman_hash()) {
                sampass->private_u.lm_pw = data_blob(pwd, LM_HASH_LEN);
        } else {
                sampass->private_u.lm_pw = data_blob(NULL, 0);


More information about the samba mailing list