Disable creation of weak lanman hashes by default in samba
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| | samba (Ubuntu) |
Undecided
|
Steve Langasek | ||
Bug Description
Binary package hint: samba
The smbpasswd facility of Samba currently uses two different hashes for passwords, lanman and NTLMv2. The lanman hash is *incredibly* insecure: it is more vulnerable to brute-force attacks than historic Unix crypt() hashes (lanman consists of an unsalted hash of the upper-case form of the plaintext password, broken into two groups of 7 chars). It is also only needed for Win95/98/ME clients, as newer Windows clients use the NTLMv2 hash.
Samba should support a new smb.conf option to toggle whether lanman hashes will be generated on password updates, and creation of lanman hashes should be disabled on Ubuntu by default. This should be considered a prerequisite to enabling smbpasswd synchronization by default, due to the security implications.
| Changed in samba: | |
| assignee: | nobody → vorlon |
| Sitsofe Wheeler (sitsofe) wrote : | #1 |
| Sitsofe Wheeler (sitsofe) wrote : | #2 |
(options to disable lanman hashes were found on http://
| Steve Langasek (vorlon) wrote : Re: [Bug 163194] Re: need option to disable creation of lanman hashes | #3 |
On Mon, Nov 19, 2007 at 11:22:03PM -0000, Sitsofe Wheeler wrote:
> This option already exists. If you add
> lanman auth = no
> lm announce = no
> min protocol = NT1
> To smb.conf then it smbpasswd no longer seems to generate the horrific
> lanman hashes. Apparently in Vista Microsoft took the initiative and
> disabled the storing of these weak passwords by default.
Ah, this seems to indeed be the case - "lanman auth" is the magic switch, I
missed that in the documentation.
So all that remains is to set this by default in the Ubuntu samba package.
:)
| Mathias Gug (mathiaz) wrote : Re: [Bug 163194] Re: need option to disable creation of lanman hashes | #4 |
On Tue, Nov 20, 2007 at 01:02:39AM -0000, Steve Langasek wrote:
> Ah, this seems to indeed be the case - "lanman auth" is the magic switch, I
> missed that in the documentation.
>
> So all that remains is to set this by default in the Ubuntu samba package.
> :)
>
Should we add a debconf question asking if support for windows95/98/Me
clients should be enabled ?
status triaged
--
Mathias
| Changed in samba: | |
| status: | New → Triaged |
| Sitsofe Wheeler (sitsofe) wrote : | #5 |
Mathias:
This sounds good so long as people are dissuaded from enabling this unnecessary and this question only turns up if the user requested Medium or above configuration (otherwise I feel it should default to off).
| Steve Langasek (vorlon) wrote : | #6 |
as discussed on IRC, we shouldn't do a lot of work to make this configurable via debconf until we see that there's user demand for this.
| Steve Langasek (vorlon) wrote : | #7 |
Proposed patch; includes changes to client lanman auth and client plaintext auth as well, which protects users from being tricked into sending plaintext passwords to a rogue server, but at the cost of breaking compatibility with other Samba servers that have encrypted passwords = no set.
Investigation shows that these three changes have already been made upstream for 3.2, which further reinforces my belief that we shouldn't worry about debconf handling of this.
| Steve Langasek (vorlon) wrote : | #8 |
samba (3.0.27a-2ubuntu1) hardy; urgency=low
* Merge from debian unstable (LP: #174296), remaining changes:
* debian/
- set SAMBA_VERSION_
* debian/smb.conf:
- Add "(Samba, Ubuntu)" to server string.
- Comment out the default [homes] shares and add more verbose comments to
explain what they do and how they work (LP #27608). Also, add a
comment about "valid users = %S" to show users how to restrict access
to \\server\username to only username.
- default passwd chat value is modified
* debian/
- do not change priority to HIGH if dhclient3 is installed
- use priority medium instead of high for the workgroup question
* Set Ubuntu maintainer address.
samba (3.0.27a-2) unstable; urgency=low
* debian/
on the client, and lanman authentication on both client and server, by
default since these are only needed for Win9x or Samba with encrypted
passwords disabled and are potential password attack vectors. This
change is backported from Samba 3.2. LP: #163194.
* Don't build the userspace tools for the deprecated smbfs kernel driver
anymore; instead, use a shell wrapper around mount.cifs that translates
option names between the smbfs and cifs drivers.
Closes: #169624, #256637, #265468, #289179, #305210, #410075;
LP: #29413
* debian/
reporters to Launchpad instead of to the Debian BTS. Closes: #452940.
* debian/samba.init: call log_progress_msg separately for each daemon on
stop rather than passing a second arg to log_daemon_msg, for greater
compatibility with both Debian and Ubuntu LSB initscript implementations.
Closes: #453350.
* Drop smbldap-tools to Suggests:, consistent with the textbook meaning of
recommends/
Closes: #453144.
* Get rid of the build-dependency on type-handling:
- add a new target, "update-archs", to be invoked by hand to refresh
the list of known Linux architectures for the libacl1-dev
build-dep; this avoids the clean target making changes to
debian/
- rework the sed line so that it works in-place on debian/control,
so we can get rid of debian/control.in as well and just update
debian/
Closes: #340570.
-- Steve Langasek <email address hidden> Wed, 05 Dec 2007 16:14:20 -0800
| Changed in samba: | |
| status: | Triaged → Fix Released |
This option already exists. If you add
lanman auth = no
lm announce = no
min protocol = NT1
To smb.conf then it smbpasswd no longer seems to generate the horrific lanman hashes. Apparently in Vista Microsoft took the initiative and disabled the storing of these weak passwords by default.