Disable creation of weak lanman hashes by default in samba

Bug #163194 reported by Steve Langasek on 2007-11-16
4
Affects Status Importance Assigned to Milestone
samba (Ubuntu)
Undecided
Steve Langasek

Bug Description

Binary package hint: samba

The smbpasswd facility of Samba currently uses two different hashes for passwords, lanman and NTLMv2. The lanman hash is *incredibly* insecure: it is more vulnerable to brute-force attacks than historic Unix crypt() hashes (lanman consists of an unsalted hash of the upper-case form of the plaintext password, broken into two groups of 7 chars). It is also only needed for Win95/98/ME clients, as newer Windows clients use the NTLMv2 hash.

Samba should support a new smb.conf option to toggle whether lanman hashes will be generated on password updates, and creation of lanman hashes should be disabled on Ubuntu by default. This should be considered a prerequisite to enabling smbpasswd synchronization by default, due to the security implications.

Steve Langasek (vorlon) on 2007-11-16
Changed in samba:
assignee: nobody → vorlon
Sitsofe Wheeler (sitsofe) wrote :

This option already exists. If you add
lanman auth = no
lm announce = no
min protocol = NT1
To smb.conf then it smbpasswd no longer seems to generate the horrific lanman hashes. Apparently in Vista Microsoft took the initiative and disabled the storing of these weak passwords by default.

Sitsofe Wheeler (sitsofe) wrote :

(options to disable lanman hashes were found on http://www.oregontechsupport.com/samba/ )

On Mon, Nov 19, 2007 at 11:22:03PM -0000, Sitsofe Wheeler wrote:
> This option already exists. If you add
> lanman auth = no
> lm announce = no
> min protocol = NT1
> To smb.conf then it smbpasswd no longer seems to generate the horrific
> lanman hashes. Apparently in Vista Microsoft took the initiative and
> disabled the storing of these weak passwords by default.

Ah, this seems to indeed be the case - "lanman auth" is the magic switch, I
missed that in the documentation.

So all that remains is to set this by default in the Ubuntu samba package.
:)

On Tue, Nov 20, 2007 at 01:02:39AM -0000, Steve Langasek wrote:
> Ah, this seems to indeed be the case - "lanman auth" is the magic switch, I
> missed that in the documentation.
>
> So all that remains is to set this by default in the Ubuntu samba package.
> :)
>

Should we add a debconf question asking if support for windows95/98/Me
clients should be enabled ?

  status triaged

--
Mathias

Changed in samba:
status: New → Triaged
Sitsofe Wheeler (sitsofe) wrote :

Mathias:
This sounds good so long as people are dissuaded from enabling this unnecessary and this question only turns up if the user requested Medium or above configuration (otherwise I feel it should default to off).

Steve Langasek (vorlon) wrote :

as discussed on IRC, we shouldn't do a lot of work to make this configurable via debconf until we see that there's user demand for this.

Steve Langasek (vorlon) wrote :

Proposed patch; includes changes to client lanman auth and client plaintext auth as well, which protects users from being tricked into sending plaintext passwords to a rogue server, but at the cost of breaking compatibility with other Samba servers that have encrypted passwords = no set.

Investigation shows that these three changes have already been made upstream for 3.2, which further reinforces my belief that we shouldn't worry about debconf handling of this.

Steve Langasek (vorlon) wrote :

samba (3.0.27a-2ubuntu1) hardy; urgency=low

  * Merge from debian unstable (LP: #174296), remaining changes:
    * debian/patches/VERSION.patch:
      - set SAMBA_VERSION_VENDOR_SUFFIX to Ubuntu
    * debian/smb.conf:
      - Add "(Samba, Ubuntu)" to server string.
      - Comment out the default [homes] shares and add more verbose comments to
        explain what they do and how they work (LP #27608). Also, add a
        comment about "valid users = %S" to show users how to restrict access
        to \\server\username to only username.
      - default passwd chat value is modified
    * debian/samba-common.config:
      - do not change priority to HIGH if dhclient3 is installed
      - use priority medium instead of high for the workgroup question
    * Set Ubuntu maintainer address.

samba (3.0.27a-2) unstable; urgency=low

  * debian/patches/disable-weak-auth.patch: disable plaintext authentication
    on the client, and lanman authentication on both client and server, by
    default since these are only needed for Win9x or Samba with encrypted
    passwords disabled and are potential password attack vectors. This
    change is backported from Samba 3.2. LP: #163194.
  * Don't build the userspace tools for the deprecated smbfs kernel driver
    anymore; instead, use a shell wrapper around mount.cifs that translates
    option names between the smbfs and cifs drivers.
    Closes: #169624, #256637, #265468, #289179, #305210, #410075;
    LP: #29413
  * debian/panic-action: detect when we're on an Ubuntu system and direct bug
    reporters to Launchpad instead of to the Debian BTS. Closes: #452940.
  * debian/samba.init: call log_progress_msg separately for each daemon on
    stop rather than passing a second arg to log_daemon_msg, for greater
    compatibility with both Debian and Ubuntu LSB initscript implementations.
    Closes: #453350.
  * Drop smbldap-tools to Suggests:, consistent with the textbook meaning of
    recommends/suggests which is now implemented correctly in apt.
    Closes: #453144.
  * Get rid of the build-dependency on type-handling:
    - add a new target, "update-archs", to be invoked by hand to refresh
      the list of known Linux architectures for the libacl1-dev
      build-dep; this avoids the clean target making changes to
      debian/control
    - rework the sed line so that it works in-place on debian/control,
      so we can get rid of debian/control.in as well and just update
      debian/control directly
    Closes: #340570.

 -- Steve Langasek <email address hidden> Wed, 05 Dec 2007 16:14:20 -0800

Changed in samba:
status: Triaged → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers