From patchwork Tue Jul 9 23:45:21 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Steve French X-Patchwork-Id: 1958612 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20230601 header.b=ZxEAD+sf; dkim-atps=neutral Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=vger.kernel.org (client-ip=2604:1380:4601:e00::3; helo=am.mirrors.kernel.org; envelope-from=linux-cifs+bounces-2295-incoming=patchwork.ozlabs.org@vger.kernel.org; receiver=patchwork.ozlabs.org) Received: from am.mirrors.kernel.org (am.mirrors.kernel.org [IPv6:2604:1380:4601:e00::3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature ECDSA (secp384r1) server-digest SHA384) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4WJd0W58pVz1xrJ for ; Wed, 10 Jul 2024 09:45:47 +1000 (AEST) Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id A40B11F23044 for ; Tue, 9 Jul 2024 23:45:42 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id CB49C1474BE; Tue, 9 Jul 2024 23:45:37 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ZxEAD+sf" X-Original-To: linux-cifs@vger.kernel.org Received: from mail-lf1-f47.google.com (mail-lf1-f47.google.com [209.85.167.47]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 00B9815383A for ; Tue, 9 Jul 2024 23:45:35 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.167.47 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720568737; cv=none; b=nsuZKFR1ysiVQGuOzrsETrNjMMhwjNxuzSCAosj8Qnt3HHevTCRdo5NnAM/jbcxzeRwLvEUmv6bhRaP35ef3Z9Lvxsx9Q3e3uTEIkUrphsjjWmZNw8UuU+j0L0u2CDOQrX42mzPRyqavJIcZ5KytXf7XfA6wLpuyrbpoCqIR5No= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1720568737; c=relaxed/simple; bh=p83bjr3I81UGHQlY1qunVvX8eF4XOCtiBQikExfHx90=; h=MIME-Version:From:Date:Message-ID:Subject:To:Cc:Content-Type; b=DTTZx8yj/+QpLsgppUhsJkQrIx/+hld5Lpkij29BwvKkMpGgder56j+9/wo5P3k7GDPIMciWuMt6YTEC/p0avjiTjk3WFg1eJU6BjbhRFxV2wdMJyW+L6FqZQFR+FyNVydZcZi0VI9yj4FXXVQ2hqHnils0cUouHbVp/dgTm9M4= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=ZxEAD+sf; arc=none smtp.client-ip=209.85.167.47 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Received: by mail-lf1-f47.google.com with SMTP id 2adb3069b0e04-52e96d4986bso6087627e87.3 for ; Tue, 09 Jul 2024 16:45:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1720568734; x=1721173534; darn=vger.kernel.org; h=cc:to:subject:message-id:date:from:mime-version:from:to:cc:subject :date:message-id:reply-to; bh=uwIHQQ4Tbn9y+N0g/1XRLcqqwP65S9jwCGc1fD6Vm9U=; b=ZxEAD+sf7YhNgMDf7TRuIBrydhY0sYKhnbPTLjdg77E7dJW5MO/iLRcHaig/JavQgV 4mSvVOaSTEh5cbUL7Av1+WmZyGzOunf99FyWu2Iq1caGMuKbFZgvye7wvrP00zc6Ef+/ jX7iUzjb8nkCzSX5yv8jN2oZ7zVGZ88ZdEgxSitQHfN5Rb8hYtdp6QquUIbh5FWBpTme BCfJ12MdFKbDnL+5By+HGKyg65jRwXfOoj9PweD0+nnpkM0xji2E3oNykXBJ1eqQSpDX 4eLJR0+dQAXttr9oXhlMou9FDfGfwFBEliyfVXpkQVuAQT02c/bnCntcnQkFZ3YEzPaD CjfQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1720568734; x=1721173534; h=cc:to:subject:message-id:date:from:mime-version:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=uwIHQQ4Tbn9y+N0g/1XRLcqqwP65S9jwCGc1fD6Vm9U=; b=PawPqaCB+mNnC1AVhqDO7WwzGZL1lXpAko6jiL06Gqk/cQAg3lXUxbj2tADgeJFtvx QSC4QCRAInlPPlOJNjDUMYj/WMfnwPoC4+8fbu5HkyNYSb4ybkOzgJVIGsZ4YXn0i1tu +41Qu4wuFzL9q/Cf1F2ZVHBPjqhg/rVjWMJLIjYLUk23ajhR+AioNafbW4+fUFLTznd5 jp0zh5hr/cmtG29NaIVSeC3w005c9I0DFjbA2dtKMDhcXjns5nnLbwdSNaS89u07lcP7 uTJ3sF147GLspA+hl7HeHKv9G4PUlLFi0M0h+GHN+ptS9DiAVEJfnaPB44oyYSuplm65 bcnw== X-Gm-Message-State: AOJu0YzP1Rfxk822A7URboCU7GMI2NS76GdoPrsUAV+CTRareLsuhGSP 9HazR3v0FcVOCIzKf3hTcI/zlQmqwD2RhIdK/huFqMpZgQplSeBtPv5ghvRPnCuqeE1wb4KkVh5 i2UH6UGaRR3aHQQ+FE+tu/kugJqOuhMEr X-Google-Smtp-Source: AGHT+IEGY2mdNtjhrf+j6pxoHL80Vrx5Nt1+pzVoK7zpLH4pt/FXNqB8R5/mhUq20jFOWrNehueeeaqUsuVIoD/lV50= X-Received: by 2002:a05:6512:3dab:b0:52c:9e82:a971 with SMTP id 2adb3069b0e04-52eb9990fb4mr2700654e87.7.1720568733528; Tue, 09 Jul 2024 16:45:33 -0700 (PDT) Precedence: bulk X-Mailing-List: linux-cifs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 From: Steve French Date: Tue, 9 Jul 2024 18:45:21 -0500 Message-ID: Subject: [PATCH] cifs: fix setting SecurityFlags to true To: CIFS Cc: samba-technical If you try to set /proc/fs/cifs/SecurityFlags to 1 it will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no longer checked, and will cause mount to fail, so change this to set it to a more understandable default (ie include Kerberos as well). Also change the description of the SecurityFlags to remove mention of various flags which are no longer supported (due to removal of weak security such as lanman and ntlmv1). From e8e82087796327a140f3542825f4ddeb7fd0dfb0 Mon Sep 17 00:00:00 2001 From: Steve French Date: Tue, 9 Jul 2024 18:07:35 -0500 Subject: [PATCH] cifs: fix setting SecurityFlags to true If you try to set /proc/fs/cifs/SecurityFlags to 1 it will set them to CIFSSEC_MUST_NTLMV2 which is obsolete and no longer checked, and will cause mount to fail, so change this to set it to a more understandable default (ie include Kerberos as well). Also change the description of the SecurityFlags to remove mention of flags which are no longer supported. Cc: stable@vger.kernel.org Signed-off-by: Steve French --- Documentation/admin-guide/cifs/usage.rst | 36 ++++++++---------------- fs/smb/client/cifsglob.h | 4 +-- 2 files changed, 13 insertions(+), 27 deletions(-) diff --git a/Documentation/admin-guide/cifs/usage.rst b/Documentation/admin-guide/cifs/usage.rst index aa8290a29dc8..fd4b56c0996f 100644 --- a/Documentation/admin-guide/cifs/usage.rst +++ b/Documentation/admin-guide/cifs/usage.rst @@ -723,40 +723,26 @@ Configuration pseudo-files: ======================= ======================================================= SecurityFlags Flags which control security negotiation and also packet signing. Authentication (may/must) - flags (e.g. for NTLM and/or NTLMv2) may be combined with + flags (e.g. for NTLMv2) may be combined with the signing flags. Specifying two different password hashing mechanisms (as "must use") on the other hand does not make much sense. Default flags are:: - 0x07007 - - (NTLM, NTLMv2 and packet signing allowed). The maximum - allowable flags if you want to allow mounts to servers - using weaker password hashes is 0x37037 (lanman, - plaintext, ntlm, ntlmv2, signing allowed). Some - SecurityFlags require the corresponding menuconfig - options to be enabled. Enabling plaintext - authentication currently requires also enabling - lanman authentication in the security flags - because the cifs module only supports sending - laintext passwords using the older lanman dialect - form of the session setup SMB. (e.g. for authentication - using plain text passwords, set the SecurityFlags - to 0x30030):: + 0x00C5 + + (NTLMv2 and packet signing allowed). Some SecurityFlags + may require enabling a corresponding menuconfig option. may use packet signing 0x00001 must use packet signing 0x01001 - may use NTLM (most common password hash) 0x00002 - must use NTLM 0x02002 may use NTLMv2 0x00004 must use NTLMv2 0x04004 - may use Kerberos security 0x00008 - must use Kerberos 0x08008 - may use lanman (weak) password hash 0x00010 - must use lanman password hash 0x10010 - may use plaintext passwords 0x00020 - must use plaintext passwords 0x20020 - (reserved for future packet encryption) 0x00040 + may use Kerberos security (krb5) 0x00008 + must use Kerberos 0x08008 + may use NTLMSSP 0x00080 + must use NTLMSSP 0x80080 + seal (packet encryption) 0x00040 + must seal (not implemented yet) 0x40040 cifsFYI If set to non-zero value, additional debug information will be logged to the system error log. This field diff --git a/fs/smb/client/cifsglob.h b/fs/smb/client/cifsglob.h index 557b68e99d0a..fcfcb8429d32 100644 --- a/fs/smb/client/cifsglob.h +++ b/fs/smb/client/cifsglob.h @@ -1918,8 +1918,8 @@ require use of the stronger protocol */ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ -#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP) -#define CIFSSEC_MAX (CIFSSEC_MUST_NTLMV2) +#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_NTLMSSP | CIFSSEC_MAY_SIGN | CIFSSEC_MAY_SEAL) +#define CIFSSEC_MAX (CIFSSEC_MAY_KRB5 | CIFSSEC_DEF) #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) /* ***************************************************************** -- 2.43.0