search

londonhackspace / hackspace-foundation-sites

London Hackspace web site
https://london.hackspace.org.uk
32 stars 34 forks source link

Make ntlmv2 hash optional #122

Open marksteward opened 8 years ago

marksteward commented 8 years ago

This hash is likely to be of the same password as the bcrypted one, and so reduces the security of it. See also #105.

JasperWallace commented 8 years ago

Yes, I'm painfully aware of this :cry: but the alternative is to allow plain text passwords over spacenet and then do PAP auth, and since not everyone will verify the certificate from our radius server it would be easy for someone to set up a fake spacenet ssid and just grab passwords...

(of course with cloudcrack 'grab passwords' and 'grab ms-chapv2 exchanges' are pretty much the same thing :disappointed: ).

In an ideal world there would be an EAP-*-SASL mechanisim and then we could use SCRAM-SHA1-PLUS, which has channel verification and so kills to birds with one stone. But unfortunatly vendor's C and M continue to squabble so we don't :/ :disappointed:

The other option is to use client side certs...

P.S. the hash's stored in ldap for the main auth is SSHA, there is a way to use the hash's used by the OS's crypt() function (The $X$wibble stuff), which could get us bcrypt, but we'd need to check that it works with all our apps.

In anycase I'll be playing with ldap stuff soonish to get it all in ansible (and move the ldap server to adminstuff or somewhere), so i'll have a look at that then.

marksteward commented 8 years ago

What would happen if we set sambaNTPassword to !, like we do sambaLMPassword?

JasperWallace commented 8 years ago

Then ms-chap-v2 auth would fail on spacenet cos freeradius won't have either a plain text password or an NTLMv2 hash to compare against.

Hmm, looks like windows won't support PAP?

https://spacefed.net/wiki/index.php/Howto/Spacenet/Client_Windows_7

marksteward commented 8 years ago

I think I've misunderstood something here. Are you saying we should force people to provide an NTLMv2 password because they should be using spacenet? Or that a radius server somewhere will crash because a user without an NTLMv2 password exists?

JasperWallace commented 8 years ago

People don't have to use spacenet if they don't want to.

The radius server won't crash, it just won't be able to authenticate the user.

If you want to add code that a blank ntlmv2 password ends up in LDAP as '!' that would be fine, but it would need a warning on the LDAP page that then they won't be able to use spacenet.

Also if you want to add a check on the ldap page (in the javascript) that ssha_password != ntlmv2 password and refuse to add the passwords if not that would be good too.