From patchwork Sun Nov 25 06:10:32 2012 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 1799161 Return-Path: X-Original-To: patchwork-cifs-client@patchwork.kernel.org Delivered-To: patchwork-process-083081@patchwork1.kernel.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by patchwork1.kernel.org (Postfix) with ESMTP id 598C83FC5A for ; Sun, 25 Nov 2012 06:10:35 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751143Ab2KYGKe (ORCPT ); Sun, 25 Nov 2012 01:10:34 -0500 Received: from mail-qa0-f46.google.com ([209.85.216.46]:62875 "EHLO mail-qa0-f46.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750973Ab2KYGKd (ORCPT ); Sun, 25 Nov 2012 01:10:33 -0500 Received: by mail-qa0-f46.google.com with SMTP id c11so2024308qad.19 for ; Sat, 24 Nov 2012 22:10:32 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:date:message-id:subject:from:to:cc:content-type; bh=n1ZSn/+y+yzl9YGqUgsLpC+uQuMZydypfqEwBFzkEVM=; b=Svuso2OC6LUTl2PVScCE2OCpQgwdsCuPfb1paES/9Y70xDZfvchFmC1XUW/FQEXFrB gTvP4LyySFTJgoOC8VJGeO298b1houJcvMFYYbKsuD5M/PrfMOpIcXs8/4pkJaLnDPen H3OTWbxbqNaxsrBzTHDZlehqZuhTRAaWL6czFXWpaNVa3HqahgLWxHV+ctb1HVvV0kwc XBnMVPoF7gIppxXQDj9EN2D5kK8J3MEo+HnUatIVh1GtXrfWaJorOWfBZnCZ0y6sQlAQ A2moIr0HXPAcQkwOmLI0U0SLa+ChB3E+5eQ0q0eKLAkhh3aoW81cdVvCF5sfAQcf3jAi cKLw== MIME-Version: 1.0 Received: by 10.229.176.20 with SMTP id bc20mr1929866qcb.70.1353823832797; Sat, 24 Nov 2012 22:10:32 -0800 (PST) Received: by 10.49.73.170 with HTTP; Sat, 24 Nov 2012 22:10:32 -0800 (PST) Date: Sun, 25 Nov 2012 00:10:32 -0600 Message-ID: Subject: Upgrade default authentication to NTLMv2/NTLMSSP (try #2) From: Steve French To: linux-cifs@vger.kernel.org Cc: Jeff Layton Sender: linux-cifs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-cifs@vger.kernel.org Incorporating Jeff's feedback commit e6104c75c0e3158d39356591955f2aff7f3558c3 Author: Steve French Date: Sun Nov 25 00:07:44 2012 -0600 [CIFS] default authentication needs to be at least ntlmv2 security for cifs mounts We had planned to upgrade to ntlmv2 security a few releases ago, and have been warning users in dmesg on mount about the impending upgrade, but had to make a change (to use nltmssp with ntlmv2) due to testing issues with some non-Windows, non-Samba servers. The approach in this patch is simpler than earlier patches, and changes the default authentication mechanism to ntlmv2 password hashes (encapsulated in ntlmssp) from ntlm (ntlm is too weak for current use and ntlmv2 has been broadly supported for many, many years). Signed-off-by: Steve French { @@ -2475,14 +2473,6 @@ cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info) ses->cred_uid = volume_info->cred_uid; ses->linux_uid = volume_info->linux_uid; - /* ntlmv2 is much stronger than ntlm security, and has been broadly - supported for many years, time to update default security mechanism */ - if ((volume_info->secFlg == 0) && warned_on_ntlm == false) { - warned_on_ntlm = true; - cERROR(1, "default security mechanism requested. The default " - "security mechanism will be upgraded from ntlm to " - "ntlmv2 in kernel release 3.3"); - } ses->overrideSecFlg = volume_info->secFlg; mutex_lock(&ses->session_mutex); Acked-by: Jeff Layton diff --git a/fs/cifs/cifsglob.h b/fs/cifs/cifsglob.h index f5af252..2cd5ea2 100644 --- a/fs/cifs/cifsglob.h +++ b/fs/cifs/cifsglob.h @@ -1362,7 +1362,7 @@ require use of the stronger protocol */ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ -#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) +#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMSSP) #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) /* diff --git a/fs/cifs/connect.c b/fs/cifs/connect.c index 5c670b9..32fb50e 100644 --- a/fs/cifs/connect.c +++ b/fs/cifs/connect.c @@ -2397,8 +2397,6 @@ cifs_set_cifscreds(struct smb_vol *vol __attribute__((unused)), } #endif /* CONFIG_KEYS */ -static bool warned_on_ntlm; /* globals init to false automatically */ - static struct cifs_ses * cifs_get_smb_ses(struct TCP_Server_Info *server, struct smb_vol *volume_info)