On Wed, Aug 18, 2021 at 11:29 AM ronnie sahlberg <ronniesahlberg@xxxxxxxxx> wrote: > > On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <tom@xxxxxxxxxx> wrote: > > > > On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote: > > > Steve, > > > > > > We depend on ARC4 for generating the encrypted session key in key exchange. > > > This patch disables the key exchange/encrypted session key for ntlmssp > > > IF the kernel does not have any ARC4 support. > > > > > > This allows to build the cifs module even if ARC4 has been removed > > > though with a weaker type of NTLMSSP support. > > > > It's a good goal but it seems wrong to downgrade the security > > so silently. Wouldn't it be a better approach to select ARC4, > > and thereby force the build to succeed or fail? Alternatively, > > change the #ifndef ARC4 to a positive option named (for example) > > DOWNGRADED_NTLMSSP or something equally foreboding? > > Good point. > Maybe we should drop this patch and instead copy ARC4 into fs/cifs > so we have a private version of the code in cifs.ko. > And do the same for md4 and md5. Yes ... and allow a build option where ARC4/MD4 are removed from the build and NTLMSSP disabled, forcing kerberos in the short term, and then we need to get working ASAP on adding some choices in the future, perhaps something similar to https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852232(v=ws.11) where Windows allows plugging in additional auth mechanisms to SPNEGO (and pick at least one new mechanism beyond KRB5 to support in the kernel client ...) -- Thanks, Steve
