The LANMAN hash support has been disabled by default for ages, we should just remove the code which drags in the requirement to compile in Weak DES support.
I also think the implementation is wrong, but we do not have unit tests and we never really tested the LM hash as samba always defaults to using the NT hash by default anyway.
Moving to next month milestone.
Moving to next month iteration.
password plugin is generating LM hashes only if IPA configuration is asking for that. By default LM hashes generation is disabled already.
We need to remove the code that handles AllowLMHash value in ipaConfigString in ipapwd_getConfig(), remove handling of krbcfg->allow_lm_hash in ipapwd_gen_hashes(), remove LM hash handling from ipapwd_pre_add(), ipapwd_pre_mod(), and ipapwd_SetPassword().
Additionally, we need to check ipasam use of LM hashes for auth material for the trust account.
Re-assigning to Sumit.
44d1886 Remove deprecated AllowLMhash config[[BR]]
d876a22 Remove generation and handling of LM hashes[[BR]]
b5e60c2 Remove AllowLMhash from the allowed IPA config strings[[BR]]
6aed1c6 Remove deprecated AllowLMhash config[[BR]]
88f5230 Remove generation and handling of LM hashes[[BR]]
34c707e Remove AllowLMhash from the allowed IPA config strings[[BR]]
Note that ticket #4009 was filed to also provide a script to remove existing LM hashes for users.
Metadata Update from @simo:
- Issue assigned to sbose
- Issue set to the milestone: FreeIPA 3.3.x - 2013/10 (bug fixing)
to comment on this ticket.