From 26279a969879bfbd943dfda03c511ed7e14057ba Mon Sep 17 00:00:00 2001 From: Andrew Bartlett Date: Mon, 3 Jun 2013 10:02:39 +1000 Subject: [PATCH] auth: Remove "password level" We now only lowercase the password, we do not attempt to find another case combination that the password might be in. This option is already depricated, so it is now time to remove it. Andrew Bartlett Reviewed-by: Simo Sorce --- docs-xml/smbdotconf/security/passwordlevel.xml | 48 ---------------- lib/param/loadparm.c | 1 - lib/param/param_functions.c | 1 - lib/param/param_table.c | 9 --- source3/auth/pass_check.c | 79 -------------------------- source3/param/loadparm.c | 1 - 6 files changed, 139 deletions(-) delete mode 100644 docs-xml/smbdotconf/security/passwordlevel.xml diff --git a/docs-xml/smbdotconf/security/passwordlevel.xml b/docs-xml/smbdotconf/security/passwordlevel.xml deleted file mode 100644 index eee838f65c2..00000000000 --- a/docs-xml/smbdotconf/security/passwordlevel.xml +++ /dev/null @@ -1,48 +0,0 @@ - - - Some client/server combinations have difficulty - with mixed-case passwords. One offending client is Windows for - Workgroups, which for some reason forces passwords to upper - case when using the LANMAN1 protocol, but leaves them alone when - using COREPLUS! Another problem child is the Windows 95/98 - family of operating systems. These clients upper case clear - text passwords even when NT LM 0.12 selected by the protocol - negotiation request/response. - - This deprecated parameter defines the maximum number of characters - that may be upper case in passwords. - - For example, say the password given was "FRED". If - password level is set to 1, the following combinations - would be tried if "FRED" failed: - - "Fred", "fred", "fRed", "frEd","freD" - - If password level was set to 2, - the following combinations would also be tried: - - "FRed", "FrEd", "FreD", "fREd", "fReD", "frED", .. - - And so on. - - The higher value this parameter is set to the more likely - it is that a mixed case password will be matched against a single - case password. However, you should be aware that use of this - parameter reduces security and increases the time taken to - process a new connection. - - A value of zero will cause only two attempts to be - made - the password as is and the password in all-lower case. - - This parameter is used only when using plain-text passwords. It is - not at all used when encrypted passwords as in use (that is the default - since samba-3.0.0). Use this only when No. - - -0 -4 - diff --git a/lib/param/loadparm.c b/lib/param/loadparm.c index 25997d33ee8..310f95a3c58 100644 --- a/lib/param/loadparm.c +++ b/lib/param/loadparm.c @@ -2144,7 +2144,6 @@ struct loadparm_context *loadparm_init(TALLOC_CTX *mem_ctx) lpcfg_do_global_parameter(lp_ctx, "max xmit", "12288"); lpcfg_do_global_parameter(lp_ctx, "host msdfs", "true"); - lpcfg_do_global_parameter(lp_ctx, "password level", "0"); lpcfg_do_global_parameter(lp_ctx, "LargeReadwrite", "True"); lpcfg_do_global_parameter(lp_ctx, "server min protocol", "CORE"); lpcfg_do_global_parameter(lp_ctx, "server max protocol", "NT1"); diff --git a/lib/param/param_functions.c b/lib/param/param_functions.c index 6fc7801b457..fed2e95bf76 100644 --- a/lib/param/param_functions.c +++ b/lib/param/param_functions.c @@ -320,7 +320,6 @@ FN_GLOBAL_INTEGER(open_files_db_hash_size, open_files_db_hash_size) FN_GLOBAL_INTEGER(oplock_break_wait_time, oplock_break_wait_time) FN_GLOBAL_INTEGER(os_level, os_level) FN_GLOBAL_INTEGER(passwd_chat_timeout, iPasswdChatTimeout) -FN_GLOBAL_INTEGER(passwordlevel, pwordlevel) FN_GLOBAL_INTEGER(printcap_cache_time, PrintcapCacheTime) FN_GLOBAL_INTEGER(restrict_anonymous, restrict_anonymous) FN_GLOBAL_INTEGER(_security, security) diff --git a/lib/param/param_table.c b/lib/param/param_table.c index 7ff9d0cbcca..1b1497cc645 100644 --- a/lib/param/param_table.c +++ b/lib/param/param_table.c @@ -661,15 +661,6 @@ static struct parm_struct parm_table[] = { .flags = FLAG_ADVANCED, }, { - .label = "password level", - .type = P_INTEGER, - .p_class = P_GLOBAL, - .offset = GLOBAL_VAR(pwordlevel), - .special = NULL, - .enum_list = NULL, - .flags = FLAG_ADVANCED | FLAG_DEPRECATED, - }, - { .label = "username level", .type = P_INTEGER, .p_class = P_GLOBAL, diff --git a/source3/auth/pass_check.c b/source3/auth/pass_check.c index f2d1fc241bc..21694b3d555 100644 --- a/source3/auth/pass_check.c +++ b/source3/auth/pass_check.c @@ -494,68 +494,6 @@ static char *osf1_bigcrypt(char *password, char *salt1) /**************************************************************************** -apply a function to upper/lower case combinations -of a string and return true if one of them returns true. -try all combinations with N uppercase letters. -offset is the first char to try and change (start with 0) -it assumes the string starts lowercased -****************************************************************************/ -static NTSTATUS string_combinations2(char *s, int offset, - NTSTATUS (*fn)(const char *s, - const void *private_data), - int N, const void *private_data) -{ - int len = strlen(s); - int i; - NTSTATUS nt_status; - -#ifdef PASSWORD_LENGTH - len = MIN(len, PASSWORD_LENGTH); -#endif - - if (N <= 0 || offset >= len) - return (fn(s, private_data)); - - for (i = offset; i < (len - (N - 1)); i++) { - char c = s[i]; - if (!islower_m(c)) - continue; - s[i] = toupper_m(c); - nt_status = string_combinations2(s, i + 1, fn, N - 1, - private_data); - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { - return nt_status; - } - s[i] = c; - } - return (NT_STATUS_WRONG_PASSWORD); -} - -/**************************************************************************** -apply a function to upper/lower case combinations -of a string and return true if one of them returns true. -try all combinations with up to N uppercase letters. -offset is the first char to try and change (start with 0) -it assumes the string starts lowercased -****************************************************************************/ -static NTSTATUS string_combinations(char *s, - NTSTATUS (*fn)(const char *s, - const void *private_data), - int N, const void *private_data) -{ - int n; - NTSTATUS nt_status; - for (n = 1; n <= N; n++) { - nt_status = string_combinations2(s, 0, fn, n, private_data); - if (!NT_STATUS_EQUAL(nt_status, NT_STATUS_WRONG_PASSWORD)) { - return nt_status; - } - } - return NT_STATUS_WRONG_PASSWORD; -} - - -/**************************************************************************** core of password checking routine ****************************************************************************/ static NTSTATUS password_check(const char *password, const void *private_data) @@ -673,7 +611,6 @@ NTSTATUS pass_check(const struct passwd *pass, bool run_cracker) { char *pass2 = NULL; - int level = lp_passwordlevel(); NTSTATUS nt_status; @@ -876,21 +813,5 @@ NTSTATUS pass_check(const struct passwd *pass, } } - /* give up? */ - if (level < 1) { - return NT_STATUS_WRONG_PASSWORD; - } - - /* last chance - all combinations of up to level chars upper! */ - if (!strlower_m(pass2)) { - return NT_STATUS_INVALID_PARAMETER; - } - - nt_status = string_combinations(pass2, password_check, level, - (const void *)rhost); - if (NT_STATUS_IS_OK(nt_status)) { - return nt_status; - } - return NT_STATUS_WRONG_PASSWORD; } diff --git a/source3/param/loadparm.c b/source3/param/loadparm.c index b9d316b98ee..fa2f9b66e40 100644 --- a/source3/param/loadparm.c +++ b/source3/param/loadparm.c @@ -819,7 +819,6 @@ static void init_globals(bool reinit_globals) Globals.lpqcachetime = 30; /* changed to handle large print servers better -- jerry */ Globals.bDisableSpoolss = false; Globals.iMaxSmbdProcesses = 0;/* no limit specified */ - Globals.pwordlevel = 0; Globals.unamelevel = 0; Globals.deadtime = 0; Globals.getwd_cache = true; -- 2.11.4.GIT