Package: libsasl2-modules Version: 2.1.27+dfsg-1+deb10u1 Severity: wishlist Tags: patch
The NTLM plugin defaults to the less-secure v1 of the protocol, does not support a way for clients to override this default (this is tracked upstream as https://github.com/cyrusimap/cyrus-sasl/issues/574), and will not even attempt v2 if v1 fails (e.g., due to it being disabled server-side). As a workaround until a better fix is available, I've applied the attached patch (which is a variation on the proof of concept at https://access.redhat.com/solutions/4253821). Since in this day and age it makes more sense to prefer NTLMv2 (if NTLM is to be used at all), I'm submitting it for the maintainers' consideration.
Default to ntlm_v2=yes. See https://github.com/cyrusimap/cyrus-sasl/issues/574 and https://bugzilla.redhat.com/show_bug.cgi?id=1722159 We definitely should prefer NTLMv2 over v1. --- a/plugins/ntlm.c +++ b/plugins/ntlm.c @@ -1993,7 +1993,7 @@ unsigned char hash[NTLM_HASH_LENGTH]; unsigned char resp[NTLM_RESP_LENGTH], *lm_resp = NULL, *nt_resp = NULL; int result; - const char *sendv2; + const char *sendv2 = NULL; if (!serverin || serverinlen < NTLM_TYPE2_MINSIZE || memcmp(serverin, NTLM_SIGNATURE, sizeof(NTLM_SIGNATURE)) || @@ -2065,7 +2065,7 @@ /* should we send a NTLMv2 response? */ params->utils->getopt(params->utils->getopt_context, "NTLM", "ntlm_v2", &sendv2, NULL); - if (sendv2 && + if (!sendv2 || (sendv2[0] == '1' || sendv2[0] == 'y' || (sendv2[0] == 'o' && sendv2[1] == 'n') || sendv2[0] == 't')) {

