SASL NTLM, CRAM-MD5 broken authentication
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
autofs (Ubuntu) |
Fix Released
|
Low
|
Andreas Hasenack | ||
Jammy |
Fix Released
|
Low
|
Andreas Hasenack | ||
Kinetic |
Won't Fix
|
Low
|
Andreas Hasenack | ||
Lunar |
Fix Released
|
Low
|
Andreas Hasenack | ||
Mantic |
Fix Released
|
Low
|
Andreas Hasenack |
Bug Description
[ Impact ]
While working on https:/
If the server allows anonymous searches, then it might seem it's working, because the authentication failure is ignored by autofs and it just goes on as anonymous.
[ Test Plan ]
The DEP8 test has tests for NTLM and CRAM-MD5, using a properly configured openldap server, so that if the authentication fails but autofs continues as anonymous, openldap will deny access.
[ Where problems could occur ]
This is the same fix as upstream did to enable SCRAM-* authentication, and was forwarded[1] to upstream, but no reply yet. So in terms of code, I don't expect regressions.
In terms of behavior, what will change now is that CRAM-MD5 and NTLM authentication will work, as long as the credentials are correct.
Some scenarios I can think of:
- credentials were always correct, but due to the bug, the authentication always failed. After the udpate, the authentication will succeed, and different ACLs might apply to the connection on the server side.
- credentials were always INCORRECT, but due to the bug, coupled with ACLs on the server that allowed anonymous searches, the user was unaware of this fact. After the update, the authentication will still fail, and searches will keep working, but now the failure is an incorrect password and the server might record this differently
[racb SRU opinion] These scenarios seem important to document and consider, but on balance I think it's reasonable in this case to fix behaviour that exists directly because of a bug than to avoid fixing the bug.
[ Other Info ]
Not at this time.
[ Original Description ]
While working on https:/
I pinged upstream[1] and came up with this trivial patch, basically the same fix that was done for SCRAM support in #1987992:
--- a/modules/
+++ b/modules/
@@ -1208,6 +1208,8 @@
if (!strncmp(authtype, "PLAIN", strlen("PLAIN")) ||
+ !strncmp(authtype, "NTLM", strlen("NTLM")) ||
+ !strncmp(authtype, "CRAM-MD5", strlen("CRAM-MD5")) ||
return 1;
#endif
There is a question about whether this should even be fixed, given that NTLM and CRAM-MD5 are nowadays deprecated. This patch is not yet applied in mantic (current ubuntu devel release). But it might be worth it in an SRU.
Related branches
- git-ubuntu bot: Approve
- Sergio Durigan Junior (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 644 lines (+565/-2)7 files modifieddebian/changelog (+156/-0)
debian/control (+2/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+385/-0)
debian/tests/smb-mount (+1/-1)
- git-ubuntu bot: Approve
- Athos Ribeiro (community): Approve
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 96 lines (+33/-4)6 files modifieddebian/changelog (+12/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+1/-1)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+1/-0)
debian/tests/control (+1/-1)
debian/tests/ldap-map-sasl-auth (+2/-2)
- Athos Ribeiro (community): Needs Information
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 529 lines (+487/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+367/-0)
- Canonical Server Core Reviewers: Pending requested
- Canonical Server Reporter: Pending requested
-
Diff: 530 lines (+488/-0)6 files modifieddebian/changelog (+14/-0)
debian/patches/autofs-5.1.8-support-SCRAM-for-SASL-binding.patch (+84/-0)
debian/patches/ntlm-crammd5-require-credentials.patch (+16/-0)
debian/patches/series (+2/-0)
debian/tests/control (+4/-0)
debian/tests/ldap-map-sasl-auth (+368/-0)
Changed in autofs (Ubuntu Lunar): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Kinetic): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in autofs (Ubuntu Jammy): | |
assignee: | nobody → Andreas Hasenack (ahasenack) |
status: | New → In Progress |
Changed in autofs (Ubuntu Kinetic): | |
status: | New → In Progress |
Changed in autofs (Ubuntu Lunar): | |
status: | New → In Progress |
importance: | Undecided → Low |
Changed in autofs (Ubuntu Kinetic): | |
importance: | Undecided → Low |
Changed in autofs (Ubuntu Jammy): | |
importance: | Undecided → Low |
description: | updated |
Changed in autofs (Ubuntu Mantic): | |
status: | Triaged → In Progress |
assignee: | nobody → Andreas Hasenack (ahasenack) |
description: | updated |
description: | updated |
Changed in autofs (Ubuntu Kinetic): | |
status: | In Progress → Won't Fix |
This bug was fixed in the package autofs - 5.1.8-2ubuntu2
---------------
autofs (5.1.8-2ubuntu2) mantic; urgency=medium
* Fix NTLM and CRAM-MD5 SASL authentication (LP: #2023595): crammd5- require- credentials. patch: fix NTLM and CRAM-MD5 map-sasl- auth: add NTLM and CRAM-MD5 to the test 5.1.8-support- SCRAM-for- SASL-binding. patch: fix typo in map-sasl- auth, d/t/control: add a missing 2>&1 to the test,
- d/p/ntlm-
- d/t/ldap-
* d/p/autofs-
the "Origin" DEP3 header
* d/t/ldap-
which allows us to drop the allow-stderr flag from the control file
-- Andreas Hasenack <email address hidden> Tue, 25 Jul 2023 11:29:10 -0300