From: Steve French <smfrench@gmail.com>
To: ronnie sahlberg <ronniesahlberg@gmail.com>
Cc: Tom Talpey <tom@talpey.com>,
Ronnie Sahlberg <lsahlber@redhat.com>,
linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Wed, 18 Aug 2021 11:51:49 -0500 [thread overview]
Message-ID: <CAH2r5mvj5w1NxkyH4XE6S6J0O7VFJ-XWB_Og_JsmA0M8i=AW2A@mail.gmail.com> (raw)
In-Reply-To: <CAN05THR_Y+uoER=iNiwoiZ0yPcJ2T-LvRqOew59G53SafUMg3g@mail.gmail.com>
On Wed, Aug 18, 2021 at 11:29 AM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <tom@talpey.com> wrote:
> >
> > On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
> > > Steve,
> > >
> > > We depend on ARC4 for generating the encrypted session key in key exchange.
> > > This patch disables the key exchange/encrypted session key for ntlmssp
> > > IF the kernel does not have any ARC4 support.
> > >
> > > This allows to build the cifs module even if ARC4 has been removed
> > > though with a weaker type of NTLMSSP support.
> >
> > It's a good goal but it seems wrong to downgrade the security
> > so silently. Wouldn't it be a better approach to select ARC4,
> > and thereby force the build to succeed or fail? Alternatively,
> > change the #ifndef ARC4 to a positive option named (for example)
> > DOWNGRADED_NTLMSSP or something equally foreboding?
>
> Good point.
> Maybe we should drop this patch and instead copy ARC4 into fs/cifs
> so we have a private version of the code in cifs.ko.
> And do the same for md4 and md5.
Yes ... and allow a build option where ARC4/MD4 are removed from the
build and NTLMSSP disabled,
forcing kerberos in the short term, and then we need to get working
ASAP on adding some choices in the future,
perhaps something similar to
https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852232(v=ws.11)
where Windows allows plugging in additional auth mechanisms to SPNEGO
(and pick at least one new mechanism beyond
KRB5 to support in the kernel client ...)
--
Thanks,
Steve
next prev parent reply other threads:[~2021-08-18 16:52 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-18 4:10 Disable key exchange if ARC4 is not available Ronnie Sahlberg
2021-08-18 4:10 ` [PATCH] cifs: disable ntlmssp " Ronnie Sahlberg
2021-08-18 13:18 ` Disable " Tom Talpey
2021-08-18 16:27 ` ronnie sahlberg
2021-08-18 16:29 ` ronnie sahlberg
2021-08-18 16:51 ` Steve French [this message]
2021-08-18 18:33 ` Tom Talpey
2021-08-18 21:04 ` ronnie sahlberg
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH2r5mvj5w1NxkyH4XE6S6J0O7VFJ-XWB_Og_JsmA0M8i=AW2A@mail.gmail.com' \
--to=smfrench@gmail.com \
--cc=linux-cifs@vger.kernel.org \
--cc=lsahlber@redhat.com \
--cc=ronniesahlberg@gmail.com \
--cc=tom@talpey.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).