diff options
author | Stefan Metzmacher <metze@samba.org> | 2022-11-24 18:22:23 +0100 |
---|---|---|
committer | Stefan Metzmacher <metze@samba.org> | 2022-12-13 13:07:29 +0000 |
commit | 1c6c1129905d0c7a60018e7bf0f17a0fd198a584 (patch) | |
tree | 2bf2b1dff2f4de50c984b1080639998b93728c7e /libcli/auth | |
parent | d60828f6391307a59abaa02b72b6a8acf66b2fef (diff) | |
download | samba-1c6c1129905d0c7a60018e7bf0f17a0fd198a584.tar.gz |
CVE-2022-38023 docs-xml/smbdotconf: change 'reject md5 servers' default to yes
AES is supported by Windows >= 2008R2 and Samba >= 4.0 so there's no
reason to allow md5 servers by default.
Note the change in netlogon_creds_cli_context_global() is only cosmetic,
but avoids confusion while reading the code. Check with:
git show -U35 libcli/auth/netlogon_creds_cli.c
BUG: https://bugzilla.samba.org/show_bug.cgi?id=15240
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andrew Bartlett <abartlet@samba.org>
Reviewed-by: Ralph Boehme <slow@samba.org>
Diffstat (limited to 'libcli/auth')
-rw-r--r-- | libcli/auth/netlogon_creds_cli.c | 4 |
1 files changed, 2 insertions, 2 deletions
diff --git a/libcli/auth/netlogon_creds_cli.c b/libcli/auth/netlogon_creds_cli.c index 2e7c06332f0..0f4f7ad761e 100644 --- a/libcli/auth/netlogon_creds_cli.c +++ b/libcli/auth/netlogon_creds_cli.c @@ -341,8 +341,8 @@ NTSTATUS netlogon_creds_cli_context_global(struct loadparm_context *lp_ctx, const char *client_computer; uint32_t proposed_flags; uint32_t required_flags = 0; - bool reject_md5_servers = false; - bool require_strong_key = false; + bool reject_md5_servers = true; + bool require_strong_key = true; int require_sign_or_seal = true; bool seal_secure_channel = true; enum dcerpc_AuthLevel auth_level = DCERPC_AUTH_LEVEL_NONE; |