Bug 263241

Summary: NTLM library needed
Product: [Fedora] Fedora Reporter: Rob Crittenden <rcritten>
Component: nss_compat_osslAssignee: Matthew Harmsen <mharmsen>
Status: CLOSED WONTFIX QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: high    
Version: 14CC: kevin, mitr, nkinder, rmeggins, rob.townley, rrelyea, scottt.tw, triage
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: All   
Whiteboard: bzcl34nup
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-08-16 16:41:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2007-08-29 13:10:25 UTC 
Many of the applications that we would like to port to NSS provide support for
NTLM authentication. NTLM uses MD4 which is not supported in NSS. It typically
also involves some low-level DES encryption. We need to come up with a standard
way to do this in a FIPS-approved way (e.g. no direct access to the key material)
Comment 1 Bob Relyea 2007-08-29 20:29:20 UTC 
Actually NTLM is fundamentally non-FIPS. MD4 has never been FIPS, regular DES is
no longer FIPS (in favor of DES3 and AES).

bob
Comment 2 Bug Zapper 2008-04-04 13:43:04 UTC 
Based on the date this bug was created, it appears to have been reported
during the development of Fedora 8. In order to refocus our efforts as
a project we are changing the version of this bug to '8'.

If this bug still exists in rawhide, please change the version back to
rawhide.
(If you're unable to change the bug's version, add a comment to the bug
and someone will change it for you.)

Thanks for your help and we apologize for the interruption.

The process we're following is outlined here:
http://fedoraproject.org/wiki/BugZappers/F9CleanUp

We will be following the process here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping to ensure this
doesn't happen again.
Comment 3 Bug Zapper 2008-05-14 03:09:40 UTC 
Changing version to '9' as part of upcoming Fedora 9 GA.
More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 4 Kevin Kofler 2008-10-09 21:14:54 UTC 
What about libntlm? http://josefsson.org/libntlm/

It's already used by XChat and GNU SASL (libgsasl) (at least those are the ones linking against it in Rawhide, there may be more), it has no dependencies other than glibc and it implements just NTLM, no more no less, so it doesn't duplicate the functionality of NSS.

IMHO it's exactly what we're looking for.
Comment 5 Kevin Kofler 2008-10-09 21:24:45 UTC 
By the way, the specfile for the Fedora package is here:
http://cvs.fedoraproject.org/viewvc/rpms/libntlm/devel/libntlm.spec?revision=1.7&view=markup

Looks really easy to package and maintain (can't really get much simpler), and the soname is still at .so.0, so they aren't breaking the ABI willy-nilly either, and the license is plain LGPLv2+, thus it might even be a candidate for LSB inclusion and/or be of interest to other distributions (if they aren't already shipping it as a dependency of GNU SASL and/or XChat). To me, it definitely looks like a good solution, though I admit I haven't looked at its API and I'm not a crypto expert at all. (I just thought of it because I remembered XChat uses it.)
Comment 6 Bob Relyea 2008-10-09 22:01:41 UTC 
Sounds good to me. I certainly don't think we should write a new one. We just need to get everything else to use it.

bob
Comment 7 Nathan Kinder 2008-12-12 19:24:20 UTC 
The libntlm package works fine for NTLM authentication, but we do have a need for some more basic MD4 operations.

For Fedora Directory Server, we want the ability to take MD4 hashed passwords from Active Directory and pull them into our database when syncing accounts.  This would allow AD users to use their AD password to authenticate to FDS.

In order for this to work, we need a compare function at a minimum.  We would want to pass in the MD4 hash and a clear-text password and get a response telling us the results of the comparison.

In addition, we would need a function to MD4 hash a clear password for true MD4 password storage in FDS, though we may be able to get away without doing this if we only want to support MD4 when pulling passwords in from AD.  I'm not sure if this would work properly given the current structure of a password storage scheme plug-in in FDS.
Comment 8 Kevin Kofler 2009-01-28 16:02:11 UTC 
Indeed, unfortunately, libntlm doesn't export the MD4 functions. Maybe we could get the author to change that?
Comment 9 Bug Zapper 2009-06-09 22:47:55 UTC 
This message is a reminder that Fedora 9 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 9.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '9'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 9's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 9 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 10 Bug Zapper 2009-11-16 07:57:03 UTC 
This bug appears to have been reported against 'rawhide' during the Fedora 12 development cycle.
Changing version to '12'.

More information and reason for this action is here:
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 11 Elio Maldonado Batiz 2010-09-28 00:40:17 UTC 
*** Bug 258481 has been marked as a duplicate of this bug. ***
Comment 12 Bug Zapper 2010-11-04 12:07:57 UTC 
This message is a reminder that Fedora 12 is nearing its end of life.
Approximately 30 (thirty) days from now Fedora will stop maintaining
and issuing updates for Fedora 12.  It is Fedora's policy to close all
bug reports from releases that are no longer maintained.  At that time
this bug will be closed as WONTFIX if it remains open with a Fedora 
'version' of '12'.

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, simply change the 'version' 
to a later Fedora version prior to Fedora 12's end of life.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we may not be able to fix it before Fedora 12 is end of life.  If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora please change the 'version' of this 
bug to the applicable version.  If you are unable to change the version, 
please add a comment here and someone will do it for you.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping
Comment 13 Fedora Admin XMLRPC Client 2011-08-24 18:22:44 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 14 Fedora End Of Life 2012-08-16 16:41:39 UTC 
This message is a notice that Fedora 14 is now at end of life. Fedora 
has stopped maintaining and issuing updates for Fedora 14. It is 
Fedora's policy to close all bug reports from releases that are no 
longer maintained.  At this time, all open bugs with a Fedora 'version'
of '14' have been closed as WONTFIX.

(Please note: Our normal process is to give advanced warning of this 
occurring, but we forgot to do that. A thousand apologies.)

Package Maintainer: If you wish for this bug to remain open because you
plan to fix it in a currently maintained version, feel free to reopen 
this bug and simply change the 'version' to a later Fedora version.

Bug Reporter: Thank you for reporting this issue and we are sorry that 
we were unable to fix it before Fedora 14 reached end of life. If you 
would still like to see this bug fixed and are able to reproduce it 
against a later version of Fedora, you are encouraged to click on 
"Clone This Bug" (top right of this page) and open it against that 
version of Fedora.

Although we aim to fix as many bugs as possible during every release's 
lifetime, sometimes those efforts are overtaken by events.  Often a 
more recent Fedora release includes newer upstream software that fixes 
bugs or makes them obsolete.

The process we are following is described here: 
http://fedoraproject.org/wiki/BugZappers/HouseKeeping