aboutsummaryrefslogtreecommitdiffstats
path: root/fs/cifs
diff options
context:
space:
mode:
authorSteve French <smfrench@gmail.com>2012-11-25 01:07:44 -0500
committerSteve French <smfrench@gmail.com>2012-12-05 14:07:13 -0500
commit81bcd8b795229c70d7244898efe282846e3b14ce (patch)
treebc33b84ee0714960b7900dae48b1f55f67018854 /fs/cifs
parent27d7c2a006a81c04fab00b8cd81b99af3b32738d (diff)
default authentication needs to be at least ntlmv2 security for cifs mounts
We had planned to upgrade to ntlmv2 security a few releases ago, and have been warning users in dmesg on mount about the impending upgrade, but had to make a change (to use nltmssp with ntlmv2) due to testing issues with some non-Windows, non-Samba servers. The approach in this patch is simpler than earlier patches, and changes the default authentication mechanism to ntlmv2 password hashes (encapsulated in ntlmssp) from ntlm (ntlm is too weak for current use and ntlmv2 has been broadly supported for many, many years). Signed-off-by: Steve French <smfrench@gmail.com> Acked-by: Jeff Layton <jlayton@redhat.com>
Diffstat (limited to 'fs/cifs')
-rw-r--r--fs/cifs/cifsglob.h2
-rw-r--r--fs/cifs/connect.c10
2 files changed, 1 insertions, 11 deletions
diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h
index f5af2527fc69..2cd5ea2042ed 100644
--- a/fs/cifs/cifsglob.h
+++ b/fs/cifs/cifsglob.h
@@ -1362,7 +1362,7 @@ require use of the stronger protocol */
1362#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ 1362#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
1363#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ 1363#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
1364 1364
1365#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) 1365#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMSSP)
1366#define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) 1366#define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
1367#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) 1367#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
1368/* 1368/*
diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c
index 5c670b998ffb..32fb50e7932b 100644
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -2397,8 +2397,6 @@ cifs_set_cifscreds(struct smb_vol *vol __attribute__((unused)),
2397} 2397}
2398#endif /* CONFIG_KEYS */ 2398#endif /* CONFIG_KEYS */
2399 2399
2400static bool warned_on_ntlm; /* globals init to false automatically */
2401
2402static struct cifs_ses * 2400static struct cifs_ses *
2403cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info) 2401cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
2404{ 2402{
@@ -2475,14 +2473,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)
2475 ses->cred_uid = volume_info->cred_uid; 2473 ses->cred_uid = volume_info->cred_uid;
2476 ses->linux_uid = volume_info->linux_uid; 2474 ses->linux_uid = volume_info->linux_uid;
2477 2475
2478 /* ntlmv2 is much stronger than ntlm security, and has been broadly
2479 supported for many years, time to update default security mechanism */
2480 if ((volume_info->secFlg == 0) && warned_on_ntlm == false) {
2481 warned_on_ntlm = true;
2482 cERROR(1, "default security mechanism requested. The default "
2483 "security mechanism will be upgraded from ntlm to "
2484 "ntlmv2 in kernel release 3.3");
2485 }
2486 ses->overrideSecFlg = volume_info->secFlg; 2476 ses->overrideSecFlg = volume_info->secFlg;
2487 2477
2488 mutex_lock(&ses->session_mutex); 2478 mutex_lock(&ses->session_mutex);
generated by cgit v1.2.2 (git 2.25.0) at 2025-04-13 19:25:02 -0400