Never send the LM response on cached credentials

Andrew Bartlett abartlet at samba.org
Tue Aug 29 01:48:32 GMT 2006 

On Sun, 2006-08-20 at 12:02 +1000, Andrew Bartlett wrote:
> On Sat, 2006-08-19 at 14:50 -0700, Jeremy Allison wrote:
> > On Sun, Aug 20, 2006 at 07:49:25AM +1000, Andrew Bartlett wrote:
> > > 
> > > We never need the LM hash.  Indeed, we could perfectly safely modify the
> > > NTLMSSP code to never send the LM response.
> > 
> > There are some places in the code where the lm hash is used.
> 
> My point is that in 2006, I do not think there are any situations where
> a cached credential can be used, but an NT password is not available.
> 
> A cached credential implies that we are talking to a DC, and any DC
> these days has an NT password, so sending the LM password only exposes
> weaknesses in that hash.  This is also what Firefox *always* does (it
> never sends an LM response from it's builtin NTLMSSP code).  
> 
> In protocol terms, we typically place the NT response in that position
> in the session setup or NTLMSSP packets.
> 
> For a stronger solution, we could avoid various attacks on the user's
> password by insisting that *either* NTLM2 is used, or NTLMv2 is used.
> We could even make NTLMv2 the default:  it would make us much more
> secure (and not be a loss in functionality, as we are adding additional
> functionality at this point).

Have we progressed anywhere on this?  I'm concerned that if we allow
userspace applications to request a user's LM response, then it becomes
very easy to crack a user's logon password.

Likewise if we allow a userspace application to ask for an NT response,
without NTLM2 or NTLMv2 negotiated.  

Both of these attacks can occur locally, or by a malicous server
remotely.   By requiring NTLM2 or NTLMv2 we at put a locally controlled
random factor into the equation, preventing simple lookup-based attacks.

(I think we should never send the LM or plain NTLM response over the
network, but that's a battle for another day).

This becomes particularly easy to enforce if a design such as the one
used in the Samba4 credentials code is taken on board.  (I created a
callback function to abstract this, specifically to create a single
choke point for these 'security level' questions).

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.                  http://redhat.com
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20060829/88a380c0/attachment.bin

More information about the samba-technical mailing list