archive mirror
 help / color / mirror / Atom feed
From: Tom Talpey <>
To: Steve French <>,
	ronnie sahlberg <>
Cc: Ronnie Sahlberg <>,
	linux-cifs <>
Subject: Re: Disable key exchange if ARC4 is not available
Date: Wed, 18 Aug 2021 14:33:11 -0400	[thread overview]
Message-ID: <> (raw)
In-Reply-To: <>

On 8/18/2021 12:51 PM, Steve French wrote:
> On Wed, Aug 18, 2021 at 11:29 AM ronnie sahlberg
> <> wrote:
>> On Wed, Aug 18, 2021 at 11:18 PM Tom Talpey <> wrote:
>>> On 8/18/2021 12:10 AM, Ronnie Sahlberg wrote:
>>>> Steve,
>>>> We depend on ARC4 for generating the encrypted session key in key exchange.
>>>> This patch disables the key exchange/encrypted session key for ntlmssp
>>>> IF the kernel does not have any ARC4 support.
>>>> This allows to build the cifs module even if ARC4 has been removed
>>>> though with a weaker type of NTLMSSP support.
>>> It's a good goal but it seems wrong to downgrade the security
>>> so silently. Wouldn't it be a better approach to select ARC4,
>>> and thereby force the build to succeed or fail? Alternatively,
>>> change the #ifndef ARC4 to a positive option named (for example)
>>> DOWNGRADED_NTLMSSP or something equally foreboding?
>> Good point.
>> Maybe we should drop this patch and instead copy ARC4 into fs/cifs
>> so we have a private version of the code in cifs.ko.
>> And do the same for md4 and md5.

Copying such code makes me uneasy. It's going to confuse everyone
who tries to turn off one and misses the other. To say nothing of
the risk of testing and addressing bugs.

BTW, are we sure that servers even work if the client selects
something other than ARC4, or whatever?


> Yes ... and allow a build option where ARC4/MD4 are removed from the
> build and NTLMSSP disabled,
> forcing kerberos in the short term, and then we need to get working
> ASAP on adding some choices in the future,
> perhaps something similar to
> where Windows allows plugging in additional auth mechanisms to SPNEGO
> (and pick at least one new mechanism beyond
> KRB5 to support in the kernel client ...)

  reply	other threads:[~2021-08-18 18:33 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-18  4:10 Ronnie Sahlberg
2021-08-18  4:10 ` [PATCH] cifs: disable ntlmssp " Ronnie Sahlberg
2021-08-18 13:18 ` Disable " Tom Talpey
2021-08-18 16:27   ` ronnie sahlberg
2021-08-18 16:29   ` ronnie sahlberg
2021-08-18 16:51     ` Steve French
2021-08-18 18:33       ` Tom Talpey [this message]
2021-08-18 21:04         ` ronnie sahlberg

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \ \ \
    --subject='Re: Disable key exchange if ARC4 is not available' \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).