Change the rules for mschap auth to allow aux/cifs to interoperate with aquarela (also needs an unrelated patch to aquarela). It is valid to send the same response in both the LM and NTLM fields provided one of them is correct, if neither matches, or the two fields are different and either fails to match, the whole sha-bang fails. This is an improvment in security as it allows clients who wish to do ntlm auth (which is insecure) not to send lm tokens (which is very insecure). Windows servers supports clients doing this also though windows clients don't seem to use the feature. -Steve Reference: /n/sources/patch/applied/cifs-aquarela Date: Mon Mar 26 19:09:35 CES 2007 Signed-off-by: steve@quintile.net --- /sys/src/cmd/auth/authsrv.c Mon Mar 26 19:05:39 2007 +++ /sys/src/cmd/auth/authsrv.c Mon Mar 26 19:10:04 2007 @@ -641,7 +641,7 @@ uchar hash2[MShashlen]; uchar resp[MSresplen]; OMSchapreply reply; - int lmok, ntok; + int dupe, lmok, ntok; DigestState *s; uchar digest[SHA1dlen]; @@ -664,24 +664,36 @@ secret = findsecret(KEYDB, tr->uid, sbuf); hkey = findkey(KEYDB, tr->hostid, hbuf); if(hkey == 0 || secret == 0){ - replyerror("mschap-fail bad response %s", raddr); + replyerror("mschap-fail bad response %s/%s(%s)", + tr->uid, tr->hostid, raddr); logfail(tr->uid); exits(0); } - /* - * check for match on LM algorithm - */ lmhash(hash, secret); mschalresp(resp, hash, chal); lmok = memcmp(resp, reply.LMresp, MSresplen) == 0; - nthash(hash, secret); mschalresp(resp, hash, chal); ntok = memcmp(resp, reply.NTresp, MSresplen) == 0; + dupe = memcmp(reply.LMresp, reply.NTresp, MSresplen) == 0; - if(!ntok){ - replyerror("mschap-fail bad response %s %ux", raddr, (lmok<<1)|ntok); + /* + * It is valid to send the same response in both the LM and NTLM + * fields provided one of them is correct, if neither matches, + * or the two fields are different and either fails to match, + * the whole sha-bang fails. + * + * This is an improvment in security as it allows clients who + * wish to do ntlm auth (which is insecure) not to send + * lm tokens (which is very insecure). + * + * Windows servers supports clients doing this also though + * windows clients don't seem to use the feature. + */ + if((!ntok && !lmok) || ((!ntok || !lmok) && !dupe)){ + replyerror("mschap-fail bad response %s/%s(%s) %d,%d,%d", + tr->uid, tr->hostid, raddr, dupe, lmok, ntok); logfail(tr->uid); exits(0); } @@ -695,7 +707,8 @@ exits(0); if(debug) - syslog(0, AUTHLOG, "mschap-ok %s %s %ux", tr->uid, raddr, (lmok<<1)|ntok); + replyerror("mschap-ok %s/%s(%s) %ux", + tr->uid, tr->hostid, raddr); nthash(hash, secret); md4(hash, 16, hash2, 0);