On Sun, 25 Nov 2012 00:10:32 -0600
Steve French <smfrench@xxxxxxxxx> wrote:
> Incorporating Jeff's feedback
>
> commit e6104c75c0e3158d39356591955f2aff7f3558c3
> Author: Steve French <smfrench@xxxxxxxxx>
> Date: Sun Nov 25 00:07:44 2012 -0600
>
> [CIFS] default authentication needs to be at least ntlmv2 security
> for cifs mounts
>
> We had planned to upgrade to ntlmv2 security a few releases ago,
> and have been warning users in dmesg on mount about the impending
> upgrade, but had to make a change (to use nltmssp with ntlmv2) due
> to testing issues with some non-Windows, non-Samba servers.
>
> The approach in this patch is simpler than earlier patches,
> and changes the default authentication mechanism to ntlmv2
> password hashes (encapsulated in ntlmssp) from ntlm (ntlm is
> too weak for current use and ntlmv2 has been broadly
> supported for many, many years).
>
> Signed-off-by: Steve French <smfrench@xxxxxxxxx>
>
> diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
> index f5af252..2cd5ea2 100644
> --- a/fs/cifs/cifsglob.h
> +++ b/fs/cifs/cifsglob.h
> @@ -1362,7 +1362,7 @@ require use of the stronger protocol */
> #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
> #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
>
> -#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM |
> CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
> +#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMSSP)
> #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
> #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 |
> CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 |
> CIFSSEC_MAY_NTLMSSP)
> /*
> diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
> index 5c670b9..32fb50e 100644
> --- a/fs/cifs/connect.c
> +++ b/fs/cifs/connect.c
> @@ -2397,8 +2397,6 @@ cifs_set_cifscreds(struct smb_vol *vol
> __attribute__((unused)),
> }
> #endif /* CONFIG_KEYS */
>
> -static bool warned_on_ntlm; /* globals init to false automatically */
> -
> static struct cifs_ses *
> cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
> {
> @@ -2475,14 +2473,6 @@ cifs_get_smb_ses(struct TCP_Server_Info
> *server, struct smb_vol *volume_info)
> ses->cred_uid = volume_info->cred_uid;
> ses->linux_uid = volume_info->linux_uid;
>
> - /* ntlmv2 is much stronger than ntlm security, and has been broadly
> - supported for many years, time to update default security mechanism */
> - if ((volume_info->secFlg == 0) && warned_on_ntlm == false) {
> - warned_on_ntlm = true;
> - cERROR(1, "default security mechanism requested. The default "
> - "security mechanism will be upgraded from ntlm to "
> - "ntlmv2 in kernel release 3.3");
> - }
> ses->overrideSecFlg = volume_info->secFlg;
>
> mutex_lock(&ses->session_mutex);
>
I'd still like to see a more comprehensive overhaul of the auth code,
but this will at least get rid of the warning for now...
Acked-by: Jeff Layton <jlayton@xxxxxxxxxx>
--
To unsubscribe from this list: send the line "unsubscribe linux-cifs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
