From c594ab88badcbd3f3be4e168615fdc0ab22f8afd Mon Sep 17 00:00:00 2001 From: Simo Sorce Date: Mon, 4 Oct 2010 15:13:36 -0400 Subject: Add options to control NTLM hashes By default LM hash is disabled. Of course generation still depends on whether the SamAccount objectclass is present in the user object. --- .../ipa-pwd-extop/ipa_pwd_extop.c | 9 +++++++ daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h | 3 +++ .../ipa-pwd-extop/ipapwd_common.c | 28 ++++++++++++++++++++++ .../ipa-pwd-extop/ipapwd_encoding.c | 26 ++++++++++---------- 4 files changed, 53 insertions(+), 13 deletions(-) (limited to 'daemons') diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c index cbf572188..db55981b8 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipa_pwd_extop.c @@ -73,6 +73,7 @@ const char *ipa_realm_tree; /* dn of Kerberos realm entry */ const char *ipa_realm_dn; const char *ipa_pwd_config_dn; +const char *ipa_etc_config_dn; const char *ipa_changepw_principal_dn; Slapi_PluginDesc ipapwd_plugin_desc = { @@ -1117,6 +1118,14 @@ static int ipapwd_start( Slapi_PBlock *pb ) goto done; } + ipa_etc_config_dn = slapi_ch_smprintf("cn=ipaConfig,cn=etc,%s", + ipa_realm_tree); + if (!ipa_etc_config_dn) { + slapi_log_error(SLAPI_LOG_FATAL, "ipapwd_start", "Out of memory?\n"); + ret = LDAP_OPERATIONS_ERROR; + goto done; + } + ret = LDAP_SUCCESS; done: diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h index 450e7100e..16e0efbe6 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd.h @@ -47,6 +47,7 @@ #include #include #include +#include #include #include @@ -110,6 +111,8 @@ struct ipapwd_krbcfg { struct ipapwd_encsalt *pref_encsalts; char **passsync_mgrs; int num_passsync_mgrs; + bool allow_lm_hash; + bool allow_nt_hash; }; int ipapwd_entry_checks(Slapi_PBlock *pb, struct slapi_entry *e, diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c index 0e08785fd..42a4abe9f 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_common.c @@ -48,6 +48,7 @@ extern void *ipapwd_plugin_id; extern const char *ipa_realm_dn; +extern const char *ipa_etc_config_dn; extern const char *ipa_pwd_config_dn; /* These are the default enc:salt types if nothing is defined. @@ -152,6 +153,7 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) const struct berval *bval; struct berval *mkey = NULL; char **encsalts; + char **tmparray; char *tmpstr; int i, ret; @@ -306,6 +308,32 @@ static struct ipapwd_krbcfg *ipapwd_getConfig(void) for (i = 0; config->passsync_mgrs[i]; i++) /* count */ ; config->num_passsync_mgrs = i; + slapi_entry_free(config_entry); + + /* get the ipa etc/ipaConfig entry */ + config->allow_lm_hash = false; + config->allow_nt_hash = false; + ret = ipapwd_getEntry(ipa_etc_config_dn, &config_entry, NULL); + if (ret != LDAP_SUCCESS) { + slapi_log_error(SLAPI_LOG_FATAL, __func__, "No config Entry?\n"); + } else { + tmparray = slapi_entry_attr_get_charray(config_entry, + "ipaConfigString"); + for (i = 0; tmparray && tmparray[i]; i++) { + if (strcasecmp(tmparray[i], "AllowLMhash") == 0) { + config->allow_lm_hash = true; + continue; + } + if (strcasecmp(tmparray[i], "AllowNThash") == 0) { + config->allow_nt_hash = true; + continue; + } + } + if (tmparray) slapi_ch_array_free(tmparray); + } + + slapi_entry_free(config_entry); + return config; free_and_error: diff --git a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c index 1b1e6d914..f11efa3bd 100644 --- a/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c +++ b/daemons/ipa-slapi-plugins/ipa-pwd-extop/ipapwd_encoding.c @@ -557,8 +557,6 @@ enc_error: } -#define KTF_LM_HASH 0x01 -#define KTF_NT_HASH 0x02 #define KTF_DOS_CHARSET "CP850" /* same default as samba */ #define KTF_UTF8 "UTF-8" #define KTF_UCS2 "UCS-2LE" @@ -593,16 +591,19 @@ struct ntlm_keys { /* create the lm and nt hashes newPassword: the clear text utf8 password - flags: KTF_LM_HASH | KTF_NT_HASH + do_lm_hash: determine if LM hash is generated + do_nt_hash: determine if NT hash is generated + keys[out]: array with generated hashes */ static int encode_ntlm_keys(char *newPasswd, - unsigned int flags, + bool do_lm_hash, + bool do_nt_hash, struct ntlm_keys *keys) { int ret = 0; /* do lanman first */ - if (flags & KTF_LM_HASH) { + if (do_lm_hash) { iconv_t cd; size_t cs, il, ol; char *inc, *outc; @@ -678,7 +679,7 @@ static int encode_ntlm_keys(char *newPasswd, memset(keys->lm, 0, 16); } - if (flags & KTF_NT_HASH) { + if (do_nt_hash) { iconv_t cd; size_t cs, il, ol, sl; char *inc, *outc; @@ -770,13 +771,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, if (is_smb) { char lm[33], nt[33]; struct ntlm_keys ntlm; - int ntlm_flags = 0; int ret; - /* TODO: retrieve if we want to store the LM hash or not */ - ntlm_flags = KTF_LM_HASH | KTF_NT_HASH; - - ret = encode_ntlm_keys(userpw, ntlm_flags, &ntlm); + ret = encode_ntlm_keys(userpw, + krbcfg->allow_lm_hash, + krbcfg->allow_nt_hash, + &ntlm); if (ret) { *errMesg = "Failed to generate NT/LM hashes\n"; slapi_log_error(SLAPI_LOG_FATAL, IPAPWD_PLUGIN_NAME, @@ -784,12 +784,12 @@ int ipapwd_gen_hashes(struct ipapwd_krbcfg *krbcfg, rc = LDAP_OPERATIONS_ERROR; goto done; } - if (ntlm_flags & KTF_LM_HASH) { + if (krbcfg->allow_lm_hash) { hexbuf(lm, ntlm.lm); lm[32] = '\0'; *lmhash = slapi_ch_strdup(lm); } - if (ntlm_flags & KTF_NT_HASH) { + if (krbcfg->allow_nt_hash) { hexbuf(nt, ntlm.nt); nt[32] = '\0'; *nthash = slapi_ch_strdup(nt); -- cgit