Home Explore Help
Register Sign In
phyus
/
linux-vybrid_public
8
0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Browse Source

default authentication needs to be at least ntlmv2 security for cifs mounts

We had planned to upgrade to ntlmv2 security a few releases ago,
and have been warning users in dmesg on mount about the impending
upgrade, but had to make a change (to use nltmssp with ntlmv2) due
to testing issues with some non-Windows, non-Samba servers.

The approach in this patch is simpler than earlier patches,
and changes the default authentication mechanism to ntlmv2
password hashes (encapsulated in ntlmssp) from ntlm (ntlm is
too weak for current use and ntlmv2 has been broadly
supported for many, many years).

Signed-off-by: Steve French <smfrench@gmail.com>
Acked-by: Jeff Layton <jlayton@redhat.com>
Steve French 12 years ago
parent
27d7c2a006
commit
81bcd8b795
2 changed files with 1 additions and 11 deletions
Split View Show Diff Stats
  1. 1 1
      fs/cifs/cifsglob.h
  2. 0 10
      fs/cifs/connect.c

+ 1 - 1
fs/cifs/cifsglob.h
View File 

@@ -1362,7 +1362,7 @@ require use of the stronger protocol */
 
 #define   CIFSSEC_MUST_SEAL	0x40040 /* not supported yet */
 
 #define   CIFSSEC_MUST_NTLMSSP	0x80080 /* raw ntlmssp with ntlmv2 */
 
 
-#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP)
 
+#define   CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMSSP)
 
 #define   CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
 
 #define   CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
 
 /*

+ 0 - 10
fs/cifs/connect.c
View File 

@@ -2397,8 +2397,6 @@ cifs_set_cifscreds(struct smb_vol *vol __attribute__((unused)),
 
 }
 
 #endif /* CONFIG_KEYS */
 
 
-static bool warned_on_ntlm;  /* globals init to false automatically */
 
-
 
 static struct cifs_ses *
 
 cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
 
 {
 
@@ -2475,14 +2473,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
 
 	ses->cred_uid = volume_info->cred_uid;
 
 	ses->linux_uid = volume_info->linux_uid;
 
 
-	/* ntlmv2 is much stronger than ntlm security, and has been broadly
 
-	supported for many years, time to update default security mechanism */
 
-	if ((volume_info->secFlg == 0) && warned_on_ntlm == false) {
 
-		warned_on_ntlm = true;
 
-		cERROR(1, "default security mechanism requested.  The default "
 
-			"security mechanism will be upgraded from ntlm to "
 
-			"ntlmv2 in kernel release 3.3");
 
-	}
 
 	ses->overrideSecFlg = volume_info->secFlg;
 
 
 	mutex_lock(&ses->session_mutex);