• Open Menu Close Menu
  • Apple
  • Shopping Bag
  • Apple
  • Mac
  • iPad
  • iPhone
  • Watch
  • TV
  • Music
  • Support
  • Search apple.com
  • Shopping Bag

Lists

Open Menu Close Menu
  • Terms and Conditions
  • Lists hosted on this site
  • Email the Postmaster
  • Tips for posting to public mailing lists
Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?

  • Subject: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
  • From: Paul Nelson <email@hidden>
  • Date: Wed, 25 Mar 2009 13:49:29 -0500
  • Thread-topic: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
Here is my real concern:

The user tries to connect to a rogue server that does not support NTLMv2,
but only handles the old LanMan hash.  Does the Mac refuse to connect
because it would have to send weaker hashes?  I think the answer is no.  The
Apple SMB stuff will try hard to connect to just about anything.

One thing I'm not sure about is how the Apple stuff deals with other issues
like the rogue server sending an hash of all zeros when negotiating a
connection.  This makes cracking the old LanMan hash even easier.

This is something we took into account in the ADmitMac product.

Paul Nelson
Thursby Software Systems, Inc.


> From: "Miller, Timothy J." <email@hidden>
> Date: Wed, 25 Mar 2009 12:27:01 -0400
> To: Paul Nelson <email@hidden>, "'Jacob, Raymond A Jr'"
> <email@hidden>, Apple Fed Talk <email@hidden>
> Subject: RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next
> release of OS/X support NTLMV2?
>
> Not sure myself, but it's obvious when it happens.  The Kerberos password
> dialog is visually distinct.  Plus Kerberized apps should never prompt once
> you have your ticket, so if you see it happen you know Kerberos authN
> failed.
>
> This is more a problem with Finder than anything else right now.  While
> Finder is Kerberized, it only requests tickets for shares that show up in
> Bonjour.  AFAICT  it's a bug related to the Back to My Mac feature.
> Workaround is to use the mount command directly; it's Kerberized too.
>
> -- Tim
>
>> -----Original Message-----
>> From: Paul Nelson [mailto:email@hidden]
>> Sent: Wednesday, March 25, 2009 9:24 AM
>> To: Miller, Timothy J.; 'Jacob, Raymond A Jr'; Apple Fed Talk
>> Subject: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the
>> next release of OS/X support NTLMV2?
>>
>> One point you need to be aware of, and ask Apple about:
>>
>> Can you configure your Mac to ONLY use NTLMv2/Kerberos?  Furthermore,
>> can
>> you prevent a user from changing that configuration?
>>
>> The same goes for the old LanMan hash or even clear text passwords.
>>
>>
>> Paul Nelson
>> Thursby Software Systems, Inc.
>>
>>
>>> From: "Miller, Timothy J." <email@hidden>
>>> Date: Wed, 25 Mar 2009 09:15:46 -0400
>>> To: "'Jacob, Raymond A Jr'" <email@hidden>, Apple Fed Talk
>>> <email@hidden>
>>> Subject: RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will
>> the next
>>> release of OS/X support NTLMV2?
>>>
>>> Believe me, you don't want support for *any* NTLM protocols.  The NT
>> hash is
>>> the equivalent of the password; in other words, if I have your NT hash
>> I
>>> don't need to know what the password is.
>>>
>>> http://oss.coresecurity.com/projects/pshtoolkit.htm
>>>
>>> -- Tim
>>>
>>>
>>>> -----Original Message-----
>>>> From: fed-talk-bounces+tmiller=email@hidden [mailto:fed-
>>>> talk-bounces+tmiller=email@hidden] On Behalf Of Jacob,
>>>> Raymond A Jr
>>>> Sent: Tuesday, March 24, 2009 3:15 PM
>>>> To: email@hidden
>>>> Subject: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the
>> next
>>>> release of OS/X support NTLMV2?
>>>>
>>>> I found a discussion about this topic on the list.
>>>> However, the thread occurred a few years ago.
>>>> Googling for this topic, I that there was a mention
>>>> that Thursby might support NTLMv2.
>>>> Question:
>>>> Does Leopard support NTLMv2?
>>>> Or, Rather will the next release of OS/X support NTLMV2?
>>>>
>>>> r/Raymond
>>>> _______________________________________________
>>>> Do not post admin requests to the list. They will be ignored.
>>>> Fed-talk mailing list      (email@hidden)
>>>> Help/Unsubscribe/Update your Subscription:
>>>>
>>>> This email sent to email@hidden
>>>  _______________________________________________
>>> Do not post admin requests to the list. They will be ignored.
>>> Fed-talk mailing list      (email@hidden)
>>> Help/Unsubscribe/Update your Subscription:
>>>
>>> This email sent to email@hidden
>>
>


 _______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list      (email@hidden)
Help/Unsubscribe/Update your Subscription:

This email sent to email@hidden
References: 
 >RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2? (From: "Miller, Timothy J." <email@hidden>)

  • Prev by Date: RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
  • Next by Date: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
  • Previous by thread: RE: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
  • Next by thread: Re: [Fed-Talk] Does Leopard support NTLMv2? or Rather will the next release of OS/X support NTLMV2?
  • Index(es):
    • Date
    • Thread