authentication for user@realm logins and machine account logins.
This should avoid various protocol downgrade attacks.
Andrew Bartlett
cred->old_password = NULL;
cred->smb_krb5_context = NULL;
cred->salt_principal = NULL;
+ cred->machine_account = False;
return cred;
}
* secrets.ldb when we are asked for a username or password */
BOOL machine_account_pending;
+
+ /* Is this a machine account? */
+ BOOL machine_account;
};
/* ok, we are going to get it now, don't recurse back here */
cred->machine_account_pending = False;
+ /* some other parts of the system will key off this */
+ cred->machine_account = True;
+
mem_ctx = talloc_named(cred, 0, "cli_credentials fetch machine password");
/* Local secrets are stored in secrets.ldb */
ldb = secrets_db_connect(mem_ctx);
cli_credentials_get_ntlm_username_domain(cred, mem_ctx, &user, &domain);
+ /* If we are sending a username@realm login (see function
+ * above), then we will not send LM, it will not be
+ * accepted */
+ if (cred->principal_obtained > cred->username_obtained) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+
+ /* Likewise if we are a machine account (avoid protocol downgrade attacks) */
+ if (cred->principal_obtained > cred->username_obtained) {
+ *flags = *flags & ~CLI_CRED_LANMAN_AUTH;
+ }
+
if (!nt_hash) {
static const uint8_t zeros[16];
/* do nothing - blobs are zero length */