Commit ac683924 authored by Steve French's avatar Steve French

[CIFS] Allow raw ntlmssp code to be enabled with sec=ntlmssp

On mount, "sec=ntlmssp" can now be specified to allow
"rawntlmssp" security to be enabled during
CIFS session establishment/authentication (ntlmssp used to
require specifying krb5 which was counterintuitive).
Signed-off-by: default avatarSteve French <sfrench@us.ibm.com>
parent 844823cb
...@@ -651,7 +651,15 @@ Experimental When set to 1 used to enable certain experimental ...@@ -651,7 +651,15 @@ Experimental When set to 1 used to enable certain experimental
signing turned on in case buffer was modified signing turned on in case buffer was modified
just before it was sent, also this flag will just before it was sent, also this flag will
be used to use the new experimental directory change be used to use the new experimental directory change
notification code). notification code). When set to 2 enables
an additional experimental feature, "raw ntlmssp"
session establishment support (which allows
specifying "sec=ntlmssp" on mount). The Linux cifs
module will use ntlmv2 authentication encapsulated
in "raw ntlmssp" (not using SPNEGO) when
"sec=ntlmssp" is specified on mount.
This support also requires building cifs with
the CONFIG_CIFS_EXPERIMENTAL configuration flag.
These experimental features and tracing can be enabled by changing flags in These experimental features and tracing can be enabled by changing flags in
/proc/fs/cifs (after the cifs module has been installed or built into the /proc/fs/cifs (after the cifs module has been installed or built into the
......
...@@ -82,8 +82,8 @@ enum securityEnum { ...@@ -82,8 +82,8 @@ enum securityEnum {
LANMAN, /* Legacy LANMAN auth */ LANMAN, /* Legacy LANMAN auth */
NTLM, /* Legacy NTLM012 auth with NTLM hash */ NTLM, /* Legacy NTLM012 auth with NTLM hash */
NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */
RawNTLMSSP, /* NTLMSSP without SPNEGO */ RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */
NTLMSSP, /* NTLMSSP via SPNEGO */ NTLMSSP, /* NTLMSSP via SPNEGO, NTLMv2 hash */
Kerberos, /* Kerberos via SPNEGO */ Kerberos, /* Kerberos via SPNEGO */
MSKerberos, /* MS Kerberos via SPNEGO */ MSKerberos, /* MS Kerberos via SPNEGO */
}; };
...@@ -531,6 +531,7 @@ static inline void free_dfs_info_array(struct dfs_info3_param *param, ...@@ -531,6 +531,7 @@ static inline void free_dfs_info_array(struct dfs_info3_param *param,
#define CIFSSEC_MAY_PLNTXT 0 #define CIFSSEC_MAY_PLNTXT 0
#endif /* weak passwords */ #endif /* weak passwords */
#define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */
#define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */
#define CIFSSEC_MUST_SIGN 0x01001 #define CIFSSEC_MUST_SIGN 0x01001
/* note that only one of the following can be set so the /* note that only one of the following can be set so the
...@@ -543,22 +544,23 @@ require use of the stronger protocol */ ...@@ -543,22 +544,23 @@ require use of the stronger protocol */
#define CIFSSEC_MUST_LANMAN 0x10010 #define CIFSSEC_MUST_LANMAN 0x10010
#define CIFSSEC_MUST_PLNTXT 0x20020 #define CIFSSEC_MUST_PLNTXT 0x20020
#ifdef CONFIG_CIFS_UPCALL #ifdef CONFIG_CIFS_UPCALL
#define CIFSSEC_MASK 0x3F03F /* allows weak security but also krb5 */ #define CIFSSEC_MASK 0xAF0AF /* allows weak security but also krb5 */
#else #else
#define CIFSSEC_MASK 0x37037 /* current flags supported if weak */ #define CIFSSEC_MASK 0xA70A7 /* current flags supported if weak */
#endif /* UPCALL */ #endif /* UPCALL */
#else /* do not allow weak pw hash */ #else /* do not allow weak pw hash */
#ifdef CONFIG_CIFS_UPCALL #ifdef CONFIG_CIFS_UPCALL
#define CIFSSEC_MASK 0x0F00F /* flags supported if no weak allowed */ #define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */
#else #else
#define CIFSSEC_MASK 0x07007 /* flags supported if no weak allowed */ #define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */
#endif /* UPCALL */ #endif /* UPCALL */
#endif /* WEAK_PW_HASH */ #endif /* WEAK_PW_HASH */
#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2) #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2)
#define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5) #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
/* /*
***************************************************************** *****************************************************************
* All constants go here * All constants go here
......
...@@ -449,6 +449,14 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) ...@@ -449,6 +449,14 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
cFYI(1, ("Kerberos only mechanism, enable extended security")); cFYI(1, ("Kerberos only mechanism, enable extended security"));
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
} }
#ifdef CONFIG_CIFS_EXPERIMENTAL
else if ((secFlags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_NTLMSSP) {
cFYI(1, ("NTLMSSP only mechanism, enable extended security"));
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
}
#endif
count = 0; count = 0;
for (i = 0; i < CIFS_NUM_PROT; i++) { for (i = 0; i < CIFS_NUM_PROT; i++) {
...@@ -585,6 +593,8 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses) ...@@ -585,6 +593,8 @@ CIFSSMBNegotiate(unsigned int xid, struct cifsSesInfo *ses)
server->secType = NTLMv2; server->secType = NTLMv2;
else if (secFlags & CIFSSEC_MAY_KRB5) else if (secFlags & CIFSSEC_MAY_KRB5)
server->secType = Kerberos; server->secType = Kerberos;
else if (secFlags & CIFSSEC_MAY_NTLMSSP)
server->secType = NTLMSSP;
else if (secFlags & CIFSSEC_MAY_LANMAN) else if (secFlags & CIFSSEC_MAY_LANMAN)
server->secType = LANMAN; server->secType = LANMAN;
/* #ifdef CONFIG_CIFS_EXPERIMENTAL /* #ifdef CONFIG_CIFS_EXPERIMENTAL
......
...@@ -979,6 +979,13 @@ cifs_parse_mount_options(char *options, const char *devname, ...@@ -979,6 +979,13 @@ cifs_parse_mount_options(char *options, const char *devname,
return 1; return 1;
} else if (strnicmp(value, "krb5", 4) == 0) { } else if (strnicmp(value, "krb5", 4) == 0) {
vol->secFlg |= CIFSSEC_MAY_KRB5; vol->secFlg |= CIFSSEC_MAY_KRB5;
#ifdef CONFIG_CIFS_EXPERIMENTAL
} else if (strnicmp(value, "ntlmsspi", 8) == 0) {
vol->secFlg |= CIFSSEC_MAY_NTLMSSP |
CIFSSEC_MUST_SIGN;
} else if (strnicmp(value, "ntlmssp", 7) == 0) {
vol->secFlg |= CIFSSEC_MAY_NTLMSSP;
#endif
} else if (strnicmp(value, "ntlmv2i", 7) == 0) { } else if (strnicmp(value, "ntlmv2i", 7) == 0) {
vol->secFlg |= CIFSSEC_MAY_NTLMV2 | vol->secFlg |= CIFSSEC_MAY_NTLMV2 |
CIFSSEC_MUST_SIGN; CIFSSEC_MUST_SIGN;
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment