Univention Bugzilla – Bug 42967
Consider removing NTLM completely
Last modified: 2023-03-14 16:02:08 CET
We should consider to remove the NTLM authentication functionality. In terms of security, the NTLM protocol (v1 and v2) and the NTLM password hashes can be considered weak. Even Microsoft says: "NTLM and NTLMv2 authentication is vulnerable to a variety of malicious attacks, including SMB replay, man-in-the-middle attacks, and brute force attacks." (https://technet.microsoft.com/en-us/library/jj852241(v=ws.10).aspx) We should: * Deactivate the NTLMv1 and NTLMv2 protocols in Samba * Stop saving the NTLM password hashes in OpenLDAP * Stop saving the NTLM password hashes in sam.ldb (unicodePwd) if possible I think we should fade it out gently, e.g. 1) make it possible to deactivate NTLM 2) "no NTLM" becomes the default, but it's possible to re-activate it if needed
We should differenciate between the NTLM protocol and the NTLM/RC4 password hash. We should attempt to avoid using the NTLM protocol. At least in Samba the version number of unicodePwd provides the current value of the msDS-KeyVersionNumber and unicodePwd stores the arcfour-hmac-md5 Kerberos Key Hash. So getting rid of that all together is probably a different story. Also, when thinking about security, remember Pass-the-hash.
FYI: 05/30/2019 https://docs.microsoft.com/en-us/windows-server/security/kerberos/configuring-kerberos-over-ip : "By default Windows will not attempt Kerberos authentication for a host if the hostname is an IP address. It will fall back to other enabled authentication protocols like NTLM. However, applications are sometimes hardcoded to use IP addresses which means the application will fall back to NTLM and not use Kerberos. This can cause compatibility issues as environments move to disable NTLM." Starting with Windows 10 version 1507 and Windows Server 2016.
I guess as a first step we should use this bug to address this point: * Make saving the NTLM password hashes in OpenLDAP optional.
(In reply to Michael Grandjean from comment #0) > * Stop saving the NTLM password hashes in OpenLDAP Please note: The NTLM hashes are needed for radius with MS-CHAP (eap-peap) as well (WLAN auth with username & password) If anyone ever finds a nice alternative to this, please tell me :) Alternatives I know of: eap-tls: Users need to download and setup a certificate (extremely secure though) eap-ttls: Users should install a certificate, if they don't an attacker can get the plain text password captive portal: The user needs to check that the portal url is correct, if they don't an attacker can get the plain text password (with a rouge AP and fake portal) eap-peap (for comparison): Users should install a certificate, if they don't an attacker can get the NTLM challenge. The challenge is broken though and can be cracked to get the NTLM hash. But afaik this takes significantly more CPU cycles than just cracking the NTLM hash and a good passphrase can still be considered secure.
https://bugzilla.samba.org/show_bug.cgi?id=11923#c2 may be useful regarding the point > * Deactivate the NTLMv1 and NTLMv2 protocols in Samba
(In reply to Michael Grandjean from comment #0) > * Stop saving the NTLM password hashes in OpenLDAP Please note: squid (web proxy) squid/ntlmauth authentication will not work without NTLM hashes (no more automagic logon via NTLM2/NTLMv2 to squid from windows clients)
Two responses to points above: 1. Squid: > Please note: squid (web proxy) squid/ntlmauth authentication will not work without NTLM hashes (no more automagic logon via NTLM2/NTLMv2 to squid from windows clients) Ok, but customers have the option to use kerberos for that, don't they? 2. Radius: > Please note: The NTLM hashes are needed for radius with MS-CHAP (eap-peap) as well (WLAN auth with username & password) AFAIU our current samba configuration prohibits using MS-CHAP by default: root@primary20:~# ucr search samba/ntlm/auth samba/ntlm/auth: <empty> This variable can be used to adjust the Samba option "ntlm auth" (see man smb.conf). UCS default is "ntlmv2-only". The man-page for smb.conf sys that there is an explictit option for that: > mschapv2-and-ntlmv2-only - Only allow NTLMv1 when the client promises that it is providing MSCHAPv2 authentication (such as the ntlm_auth tool). So MS-CHAP even requires NTLMv1 (as a protocol). And yes, this requires storing NT *hashes* in the first place.
Since version 4.17.0 Samba has an option to not calculate/store NT hashes: * nt hash store = never see: https://wiki.samba.org/index.php/Samba_4.17_Features_added/changed#Operation_without_the_.28unsalted.29_NT_password_hash But as explained there, this has consequences for the password history.
(In reply to Arvid Requate from comment #7) > Two responses to points above: > > 1. Squid: > > > Please note: squid (web proxy) squid/ntlmauth authentication will not work without NTLM hashes (no more automagic logon via NTLM2/NTLMv2 to squid from windows clients) > > Ok, but customers have the option to use kerberos for that, don't they? Yes, or ldapauth (but kerberos needs samba4/s4conn, so probably not available in ad-member mode, but ithink we can ignore that)