Fix handling of empty passwords

[psfrolov]

This is a fix for NTLM authentication for user account with no password. We encountered this regression in pywinrm after requests-ntlm was updated to 1.2.0.

[jborean93]

Thanks for the PR, I'm assuming this is for NTLM support with an account with no password? Do you actually have an account with an empty password string or is it to support something like a Guest account?

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Comparison is base (cba319d) 99.96% compared to head (6d29547) 99.96%.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #73   +/-   ##
=======================================
  Coverage   99.96%   99.96%           
=======================================
  Files          30       30           
  Lines        5357     5357           
=======================================
  Hits         5355     5355           
  Misses          2        2           

Flag	Coverage Δ
	99.96% <100.00%> (ø)
py3.10	99.92% <100.00%> (ø)
py3.11	99.92% <100.00%> (ø)
py3.12	99.92% <100.00%> (ø)
py3.8	99.92% <100.00%> (ø)
py3.9	99.96% <100.00%> (ø)
x64	99.96% <100.00%> (ø)
x86	95.83% <100.00%> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[gshively]

Thanks for the PR, I'm assuming this is for NTLM support with an account with no password? Do you actually have an account with an empty password string or is it to support something like a Guest account?

I have the same issue, but it is not with a user that has an empty password getting authenticated. Instead it is with the error handling when provided an empty password with the password being something else. Instead of the expected Unauthorized status, an OperationNotAvaiableError exception is thrown for the NTLM_USER_FILE environment variable not set.

[jborean93]

I think for your problem it's better to just update the existing error to be clearer around what the problem is. The current error about the NTLM_USER_FILE can certainly be confusing for people but I don't think actually doing the authentication process is a good idea when an empty string is provided. The only case where that might be ideal is when authenticating with an account that has an empty string as a password but honestly that's not a good idea to have in any case.

[gshively]

Totally agree with the bad form of having an empty password. But is it an empty password even allowed or may it possible start another type of authentication? I was remember in a distant past that the empty password might have triggered another mode of security. I was worried in that I catch the exception to handle it differently that I either break the case that someone may have an empty password or if there might be a case where the NTLM_USER_FILE is used and for some reason I hide the true exception.

[jborean93]

But is it an empty password even allowed or may it possible start another type of authentication?

It's super confusing and I might even have this wrong but Windows does support a blank/empty password for a user. There's a policy which is enabled by default which limits logons with a blank/empty password to direct console logons only https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-limit-local-account-use-of-blank-passwords-to-console-logon-only. If this policy is disabled then people could theoretically authenticate with an empty string.

There's also a "Guest" logon which uses SMB but IIRC it uses any username with either an invalid or blank password. The guest logon also requires a policy to be configured to allow from a network logon https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-10/security/threat-protection/security-policy-settings/accounts-guest-account-status. Potentially the Guest account requires you using the Guest username as well but honestly I'm not aware of the full details there.

There's finally an anonymous logon support but IIRC that requires specific flags to be set in NTLM. Like blank password or guest accounts you explicitly need to enable the policy on the Windows host. I also don't know if it's app specific, i.e. SMB enables Anonymous logon or a Windows wide policy.

I think this PR does make sense though, it helps to distinguish between no password provided by empty password and people attempting to use NTLM_USER_FILE would be very rare. The only part I'm not sure on is for Windows users where the default cache is going to be available by default. It would technically be a change in behaviour if an empty string is now treated as an explicit password vs right now where it uses the credential cache.

[skvl]

Hello!

I have the same issue in my local testing environment. So I'm waiting for the PR too :-)

@jborean93 do you mean something like this:

            if password is None:
                username = [Password(username=username, password=password)]

[disaykin]

I also use empty password in my local development. I use this patch for workaround.