Commit 7420451f authored by Steve French's avatar Steve French

cifs: allow disabling insecure dialects in the config

allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the
config for the build of cifs.ko if want to always prevent mounting
with these less secure dialects.
Signed-off-by: default avatarSteve French <stfrench@microsoft.com>
Reviewed-by: default avatarAurelien Aptel <aaptel@suse.com>
Reviewed-by: default avatarJeremy Allison <jra@samba.org>
parent 8505c8bf
...@@ -66,9 +66,24 @@ config CIFS_STATS2 ...@@ -66,9 +66,24 @@ config CIFS_STATS2
Unless you are a developer or are doing network performance analysis Unless you are a developer or are doing network performance analysis
or tuning, say N. or tuning, say N.
config CIFS_ALLOW_INSECURE_LEGACY
bool "Support legacy servers which use less secure dialects"
depends on CIFS
default y
help
Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
additional security features, including protection against
man-in-the-middle attacks and stronger crypto hashes, so the use
of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
Disabling this option prevents users from using vers=1.0 or vers=2.0
on mounts with cifs.ko
If unsure, say Y.
config CIFS_WEAK_PW_HASH config CIFS_WEAK_PW_HASH
bool "Support legacy servers which use weaker LANMAN security" bool "Support legacy servers which use weaker LANMAN security"
depends on CIFS depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
help help
Modern CIFS servers including Samba and most Windows versions Modern CIFS servers including Samba and most Windows versions
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)
......
...@@ -1174,6 +1174,7 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3) ...@@ -1174,6 +1174,7 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3)
substring_t args[MAX_OPT_ARGS]; substring_t args[MAX_OPT_ARGS];
switch (match_token(value, cifs_smb_version_tokens, args)) { switch (match_token(value, cifs_smb_version_tokens, args)) {
#ifdef CONFIG_CIFS_ALLOW_INSECURE_LEGACY
case Smb_1: case Smb_1:
if (disable_legacy_dialects) { if (disable_legacy_dialects) {
cifs_dbg(VFS, "mount with legacy dialect disabled\n"); cifs_dbg(VFS, "mount with legacy dialect disabled\n");
...@@ -1198,6 +1199,14 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3) ...@@ -1198,6 +1199,14 @@ cifs_parse_smb_version(char *value, struct smb_vol *vol, bool is_smb3)
vol->ops = &smb20_operations; vol->ops = &smb20_operations;
vol->vals = &smb20_values; vol->vals = &smb20_values;
break; break;
#else
case Smb_1:
cifs_dbg(VFS, "vers=1.0 (cifs) mount not permitted when legacy dialects disabled\n");
return 1;
case Smb_20:
cifs_dbg(VFS, "vers=2.0 mount not permitted when legacy dialects disabled\n");
return 1;
#endif /* CIFS_ALLOW_INSECURE_LEGACY */
case Smb_21: case Smb_21:
vol->ops = &smb21_operations; vol->ops = &smb21_operations;
vol->vals = &smb21_values; vol->vals = &smb21_values;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment