From: Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
To: "linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org"
<linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
Subject: Fwd: [PATCH] SMB2: Enforce sec= mount option
Date: Wed, 11 Jan 2017 11:59:58 -0600 [thread overview]
Message-ID: <CAH2r5mtmwxAf61ES_JBYuZ5+wjAKftVfw=0N03ZtW-XhQ+7pyA@mail.gmail.com> (raw)
In-Reply-To: <CAH2r5mvU4_O_epw8tTPOHV3UVRyi9eNmE85cFPGVDGR8twQiZg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
---------- Forwarded message ----------
From: Steve French <smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Date: Wed, Jan 11, 2017 at 11:58 AM
Subject: Re: [PATCH] SMB2: Enforce sec= mount option
To: Scott Lovenberg <scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org>
Cc: Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>, Germano Percossi
<germano.percossi-Sxgqhf6Nn4DQT0dZR+AlfA@public.gmane.org>, linux-cifs <linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org>
There is a broader question here about signing (making sure we enforce
it properly if signing is requested but not supported) but I think
that ntlmv2 can map to ntlmssp/ntlmv2. Given that ntlmv2 is the level
of password hash used in our implementation of ntlmssp - I am fine
with allowing ntlmv2 as a synonym (we wouldn't distinguish gssapi
encapsulation of ntlmssp as a distinct sec version either - what
matters is the level of security).
On the question of signing:
1) if the server requires signing we turn it on (without signing
required on the client mount, we allow the server to choose)
2) if the client requires signing and the server doesn't support it we
should fail since the client expects signing
I wouldn't mind adding mount option that forces signing to be off no
matter what the server requested but doubt it would be needed.
I do agree about accepting a list of sec= options and would take a
kernel patch for that, but our earlier decision was that this could be
done easier in user space (mount.cifs) - ie retry with different sec=
options if the user specified more than.
On Wed, Jan 11, 2017 at 11:48 AM, Scott Lovenberg
<scott.lovenberg-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org> wrote:
>
> On Wed, Jan 11, 2017 at 6:17 AM, Sachin Prabhu <sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org> wrote:
> [snip]
> > My own opinion is that when a mount option is explicitly passed, it is
> > expected the option provided be used and fail if it cannot be used. I
> > think replacing a explicitly requested mount option with another can
> > lead to unexpected results and may also affect things activities like
> > testing.
> >
> > There are other mount options like "vers=" where cifs doesn't attempt
> > to replace an invalid protocol version with another. This in my opinion
> > is the correct behaviour.
>
> Allow me to play Devil's advocate, but with a bridge we'll have to
> cross if we enact this behavior... Quoth The (current-ish) Fine Manual
> page for mount.cifs (quoted in full for historical mail list
> reference) :
> "
> sec=
> Security mode. Allowed values are:
>
> · none - attempt to connection as a null user (no name)
> · krb5 - Use Kerberos version 5 authentication
> · krb5i - Use Kerberos authentication and forcibly enable
> packet signing
> · ntlm - Use NTLM password hashing
> · ntlmi - Use NTLM password hashing and force packet signing
> · ntlmv2 - Use NTLMv2 password hashing
> · ntlmv2i - Use NTLMv2 password hashing and force packet signing
> · ntlmssp - Use NTLMv2 password hashing encapsulated in
> Raw NTLMSSP message
> · ntlmsspi - Use NTLMv2 password hashing encapsulated in
> Raw NTLMSSP message, and force packet signing
> The default in mainline kernel versions prior to v3.8 was
> sec=ntlm. In v3.8, the default was changed to sec=ntlmssp.
>
> If the server requires signing during protocol negotiation,
> then it may be enabled automatically. Packet signing may also be
> enabled
> automatically if it's enabled in /proc/fs/cifs/SecurityFlags.
> "
>
> What is the defined behavior if I specify that I'd like any of the
> more current NTLM variants kerberos-5, explicitly, without packet
> signing but the server requires packet signing? Currently, we
> silently turn it on. Is the defined behavior to now loudly fail
> rather than enable signing? Especially since the default value
> changed in Linux-3.8. I'd argue that we already somewhat treat the
> "sec" option as a preference rather than a requirement. I would
> further argue, although not strongly, that if we want to go down this
> road, that we should accept multiple options and if NONE of them can
> be used, then we fail. Does anyone have a better idea, or is the
> consensus that this isn't as large of an issue (both technologically
> and from a user perspective) as I perceive it to be?
>
> Steve, I'll defer to you as well with my objection above noted.
--
Thanks,
Steve
--
Thanks,
Steve
next prev parent reply other threads:[~2017-01-11 17:59 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-12-08 6:46 [PATCH] SMB2: Enforce sec= mount option Sachin Prabhu
[not found] ` <CAH2r5msW1Z1j3J+c3RF7NAH9ChKxy2GajKNp7AUxF4sfeZPXUA@mail.gmail.com>
[not found] ` <CAH2r5msW1Z1j3J+c3RF7NAH9ChKxy2GajKNp7AUxF4sfeZPXUA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-10 20:23 ` Fwd: " Steve French
[not found] ` <1481179577-15995-1-git-send-email-sprabhu-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-12-08 8:06 ` Scott Lovenberg
[not found] ` <CAFB9KM0oPPm4bYyKd75Yjy-2kCZ=0UTpwn=ONCRo0g5waNa6AA-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2016-12-08 9:03 ` Sachin Prabhu
[not found] ` <1481187800.4195.19.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2016-12-08 9:14 ` Scott Lovenberg
2017-01-11 11:45 ` Germano Percossi
[not found] ` <c0748fb1-4161-ea0f-3f6d-b0705bb83a9d-Sxgqhf6Nn4DQT0dZR+AlfA@public.gmane.org>
2017-01-11 12:17 ` Sachin Prabhu
[not found] ` <1484137071.29387.9.camel-H+wXaHxf7aLQT0dZR+AlfA@public.gmane.org>
2017-01-11 17:48 ` Scott Lovenberg
[not found] ` <CAH2r5mvU4_O_epw8tTPOHV3UVRyi9eNmE85cFPGVDGR8twQiZg@mail.gmail.com>
[not found] ` <CAH2r5mvU4_O_epw8tTPOHV3UVRyi9eNmE85cFPGVDGR8twQiZg-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-11 17:59 ` Steve French [this message]
2017-01-10 23:11 ` L A Walsh
[not found] ` <58756A3D.6000705-gT3AUAsYRbTYtjvyW6yDsg@public.gmane.org>
2017-01-11 10:46 ` Aurélien Aptel
2017-01-11 21:02 ` Scott Lovenberg
[not found] ` <CAFB9KM3S+p3sU26LKGwqaZ_3g4gkPPzEFzohwAFOa-PZPqZTAQ-JsoAwUIsXosN+BqQ9rBEUg@public.gmane.org>
2017-01-12 4:23 ` Steve French
2017-01-12 10:33 ` L A Walsh
2017-01-16 5:49 ` Sachin Prabhu
2017-01-10 23:30 ` L A Walsh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAH2r5mtmwxAf61ES_JBYuZ5+wjAKftVfw=0N03ZtW-XhQ+7pyA@mail.gmail.com' \
--to=smfrench-re5jqeeqqe8avxtiumwx3w@public.gmane.org \
--cc=linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.