Bug 10666
Summary: | Authentication failure w/pam using samba | ||
---|---|---|---|
Product: | [Retired] Red Hat Linux | Reporter: | Henri J. Schlereth <henris> |
Component: | samba | Assignee: | Trond Eivind Glomsrxd <teg> |
Status: | CLOSED RAWHIDE | QA Contact: | |
Severity: | low | Docs Contact: | |
Priority: | medium | ||
Version: | 6.2 | CC: | dr, henris |
Target Milestone: | --- | ||
Target Release: | --- | ||
Hardware: | i386 | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2001-01-19 00:08:18 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: |
Description
Henri J. Schlereth
2000-04-08 18:33:39 UTC
Tested this issue with samba 2.0.7 from rawhide and this issue still exists. I emailed RH web support and they said it was "not supported". Still exists in samba-2.0.7-11 *** Bug 12410 has been marked as a duplicate of this bug. *** Found an email from samba-technical with a possible patch. This refers to 1.9.18 which shows how far back this exists. Dont know how useful this is but I thought I would submit it for review of the more technically inclined. When I get a spare machine I will try and patch 2.0.7 and see what it does. Henri Patch (was Re: disable "fake" samba authentication error messages) Charlie Brady cbrady.com.au Mon, 10 Aug 1998 19:47:51 +1000 (EST) Attached is a patch to 1.9.18p8 to kill the "authentication failure" messages when samba is permuting upper/lower cases. This follows the strategy suggested by Andrew Morgan. The patch isn't really as big as it looks, I've moved some code around so that there is less repetition. I note that samba always tries the password lowercased unless it receives the password in mixed case. I would have thought that we knew which clients might have uppercased it, and should only do the case permutation for known dumb clients. Otherwise we reduce password security somewhat on well behaved clients. There's also the issue of PAM adding a pause on every authentication failure (PAM_FAIL_DELAY). At the moment this can be disabled on a per service basis in the PAM config file, but I think that samba should turn it off in the code, then turn it back on for the last authentication attempt. I sent this patch to Andrew and John Terpstra back in July, but it seems to have been lost in the noise, so I'll repost it here in case it is useful to anyone. I can't claim to have tested this exhaustively, but it was doing the right thing for me. Charlie Brady - Telstra |internet: cbrady.com.au Network Products |Snail : Locked Bag 6581, GPO Sydney 2001 Australia Platform Technologies |Physical : Lvl 2, 175 Liverpool St, Sydney 2000 IN-Sub Unit - Sydney | Phone: +61 2 9206 3470 Fax: +61 2 9281 1301 ---------- Forwarded message ---------- Date: 18 Jul 1998 13:43:59 -0000 From: charlieb.net.au To: cbrady.com.au Subject: samba.patch --- password.c.orig Mon May 11 18:37:47 1998 +++ password.c Sat Jul 18 23:37:11 1998 @@ -449,10 +449,17 @@ NULL }; +static pam_handle_t *pamh; + +static BOOL samba_pam_checkpass(char *password) +{ + PAM_password = password; + + return (PAM_SUCCESS == pam_authenticate(pamh, 0)); +} static BOOL pam_auth(char *this_user,char *password) { - pam_handle_t *pamh; int pam_error; /* Now use PAM to do authentication. For now, we won't worry about @@ -462,27 +469,34 @@ * verbose as would otherwise make sense. * Query: should we be using PAM_SILENT to shut PAM up? */ - #define PAM_BAIL if (pam_error != PAM_SUCCESS) { \ - pam_end(pamh, 0); return False; \ - } PAM_password = password; PAM_username = this_user; - pam_error = pam_start("samba", this_user, &PAM_conversation, &pamh); - PAM_BAIL; + + if (PAM_SUCCESS != pam_start("samba", this_user, &PAM_conversation, &pamh)) + { + pam_end(pamh, 0); return False; + } + /* Setting PAM_SILENT stops generation of error messages to syslog * to enable debugging on Red Hat Linux set: * /etc/pam.d/samba: * auth required /lib/security/pam_pwdb.so nullok shadow audit * _OR_ change PAM_SILENT to 0 to force detailed reporting (logging) */ - pam_error = pam_authenticate(pamh, PAM_SILENT); - PAM_BAIL; + + if (!string_combinations(password, samba_pam_checkpass, lp_passwordlevel())) + { + pam_end(pamh, 0); return False; + } + /* It is not clear to me that account management is the right thing * to do, but it is not clear that it isn't, either. This can be * removed if no account management should be done. Alternately, * put a pam_allow.so entry in /etc/pam.conf for account handling. */ - pam_error = pam_acct_mgmt(pamh, PAM_SILENT); - PAM_BAIL; + if (PAM_SUCCESS != pam_acct_mgmt(pamh, PAM_SILENT)) + { + pam_end(pamh, 0); return False; + } pam_end(pamh, PAM_SUCCESS); /* If this point is reached, the user has been authenticated. */ return(True); @@ -756,6 +770,7 @@ offset is the first char to try and change (start with 0) it assumes the string starts lowercased ****************************************************************************/ +static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N); static BOOL string_combinations2(char *s,int offset,BOOL (*fn)(char *),int N) { int len = strlen(s); @@ -790,8 +805,29 @@ static BOOL string_combinations(char *s,BOOL (*fn)(char *),int N) { int n; + pstring pass2; + + if (fn(s)) + return(True); + + /* if the password was given to us with mixed case then we don't + need to proceed as we know it hasn't been case modified by the + client */ + + if (strhasupper(s) && strhaslower(s)) + return(False); + + /* make a copy of it */ + StrnCpy(pass2,s,sizeof(pstring)-1); + + /* try all lowercase */ + strlower(pass2); + if (fn(pass2)) + return(True); + for (n=1;n<=N;n++) - if (string_combinations2(s,0,fn,n)) return(True); + if (string_combinations2(pass2,0,fn,n)) + return(True); return(False); } @@ -804,15 +840,6 @@ { #ifdef USE_PAM -/* This falls through if the password check fails - - if NO_CRYPT is defined this causes an error msg - saying Warning - no crypt available - - if NO_CRYPT is NOT defined this is a potential security hole - as it may authenticate via the crypt call when PAM - settings say it should fail. - if (pam_auth(this_user,password)) return(True); -Hence we make a direct return to avoid a second chance!!! -*/ return (pam_auth(this_user,password)); #endif @@ -1112,49 +1139,11 @@ #endif } - /* try it as it came to us */ - if (password_check(password)) - { - update_protected_database(user,True); - if (pass && update_encrypted) - update_smbpassword_file(pass,password); - return(True); - } - - /* if the password was given to us with mixed case then we don't - need to proceed as we know it hasn't been case modified by the - client */ - if (strhasupper(password) && strhaslower(password)) - return(False); - - /* make a copy of it */ - StrnCpy(pass2,password,sizeof(pstring)-1); - - /* try all lowercase */ - strlower(password); +#ifdef USE_PAM if (password_check(password)) - { - update_protected_database(user,True); - if (pass && update_encrypted) - update_smbpassword_file(pass,password); - return(True); - } - - /* give up? */ - if (level < 1) - { - update_protected_database(user,False); - - /* restore it */ - strcpy(password,pass2); - - return(False); - } - - /* last chance - all combinations of up to level chars upper! */ - strlower(password); - +#else if (string_combinations(password,password_check,level)) +#endif { update_protected_database(user,True); if (pass && update_encrypted) @@ -1163,10 +1152,6 @@ } update_protected_database(user,False); - - /* restore it */ - strcpy(password,pass2); - return(False); } This patch doesnt work with 2.0.7 as the password.c is now pass_check.c *** Bug 21685 has been marked as a duplicate of this bug. *** Hm, will be applied in 2.0.7-24. We can quickly back it out if it does anything odd. |