linux-cifs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Steve French <smfrench@gmail.com>
To: ronnie sahlberg <ronniesahlberg@gmail.com>
Cc: Tom Talpey <tom@talpey.com>,
	Ronnie Sahlberg <lsahlber@redhat.com>,
	linux-cifs <linux-cifs@vger.kernel.org>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Wed, 18 Aug 2021 11:51:49 -0500	[thread overview]
Message-ID: <CAH2r5mvj5w1NxkyH4XE6S6J0O7VFJ-XWB_Og_JsmA0M8i=AW2A@mail.gmail.com> (raw)
In-Reply-To: <CAN05THR_Y+uoER=iNiwoiZ0yPcJ2T-LvRqOew59G53SafUMg3g@mail.gmail.com>

On Wed, Aug 18, 2021 at 11:29 AM ronnie sahlberg
<ronniesahlberg@gmail.com> wrote:
>
> On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <tom@talpey.com> wrote:
> >
> > On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
> > > Steve,
> > >
> > > We depend on ARC4 for generating the encrypted session key in key exchange.
> > > This patch disables the key exchange/encrypted session key for ntlmssp
> > > IF the kernel does not have any ARC4 support.
> > >
> > > This allows to build the cifs module even if ARC4 has been removed
> > > though with a weaker type of NTLMSSP support.
> >
> > It's a good goal but it seems wrong to downgrade the security
> > so silently. Wouldn't it be a better approach to select ARC4,
> > and thereby force the build to succeed or fail? Alternatively,
> > change the #ifndef ARC4 to a positive option named (for example)
> > DOWNGRADED_NTLMSSP or something equally foreboding?
>
> Good point.
> Maybe we should drop this patch and instead copy ARC4 into fs/cifs
> so we have a private version of the code in cifs.ko.
> And do the same for md4 and md5.


Yes ... and allow a build option where ARC4/MD4 are removed from the
build and NTLMSSP disabled,
forcing kerberos in the short term, and then we need to get working
ASAP on adding some choices in the future,
perhaps something similar to

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/jj852232(v=ws.11)

where Windows allows plugging in additional auth mechanisms to SPNEGO
(and pick at least one new mechanism beyond
KRB5 to support in the kernel client ...)

-- 
Thanks,

Steve

  reply	other threads:[~2021-08-18 16:52 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18  4:10 Ronnie Sahlberg
2021-08-18  4:10 ` [PATCH] cifs: disable ntlmssp " Ronnie Sahlberg
2021-08-18 13:18 ` Disable " Tom Talpey
2021-08-18 16:27   ` ronnie sahlberg
2021-08-18 16:29   ` ronnie sahlberg
2021-08-18 16:51     ` Steve French [this message]
2021-08-18 18:33       ` Tom Talpey
2021-08-18 21:04         ` ronnie sahlberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CAH2r5mvj5w1NxkyH4XE6S6J0O7VFJ-XWB_Og_JsmA0M8i=AW2A@mail.gmail.com' \
    --to=smfrench@gmail.com \
    --cc=linux-cifs@vger.kernel.org \
    --cc=lsahlber@redhat.com \
    --cc=ronniesahlberg@gmail.com \
    --cc=tom@talpey.com \
    --subject='Re: Disable key exchange if ARC4 is not available' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).