Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
[CIFS] Allow raw ntlmssp code to be enabled with sec=ntlmssp
On mount, "sec=ntlmssp" can now be specified to allow
"rawntlmssp" security to be enabled during
CIFS session establishment/authentication (ntlmssp used to
require specifying krb5 which was counterintuitive).
Signed-off-by: Steve French <sfrench@us.ibm.com>
+9
-1
fs/cifs/README
+9
-1
fs/cifs/README
···
651
651
signing turned on in case buffer was modified
652
652
just before it was sent, also this flag will
653
653
be used to use the new experimental directory change
654
-
notification code).
654
+
notification code). When set to 2 enables
655
+
an additional experimental feature, "raw ntlmssp"
656
+
session establishment support (which allows
657
+
specifying "sec=ntlmssp" on mount). The Linux cifs
658
+
module will use ntlmv2 authentication encapsulated
659
+
in "raw ntlmssp" (not using SPNEGO) when
660
+
"sec=ntlmssp" is specified on mount.
661
+
This support also requires building cifs with
662
+
the CONFIG_CIFS_EXPERIMENTAL configuration flag.
655
663
656
664
These experimental features and tracing can be enabled by changing flags in
657
665
/proc/fs/cifs (after the cifs module has been installed or built into the
+9
-7
fs/cifs/cifsglob.h
+9
-7
fs/cifs/cifsglob.h
···
82
82
LANMAN, /* Legacy LANMAN auth */
83
83
NTLM, /* Legacy NTLM012 auth with NTLM hash */
84
84
NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */
85
-
RawNTLMSSP, /* NTLMSSP without SPNEGO */
86
-
NTLMSSP, /* NTLMSSP via SPNEGO */
85
+
RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */
86
+
NTLMSSP, /* NTLMSSP via SPNEGO, NTLMv2 hash */
87
87
Kerberos, /* Kerberos via SPNEGO */
88
88
MSKerberos, /* MS Kerberos via SPNEGO */
89
89
};
···
531
531
#define CIFSSEC_MAY_PLNTXT 0
532
532
#endif /* weak passwords */
533
533
#define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */
534
+
#define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */
534
535
535
536
#define CIFSSEC_MUST_SIGN 0x01001
536
537
/* note that only one of the following can be set so the
···
544
543
#define CIFSSEC_MUST_LANMAN 0x10010
545
544
#define CIFSSEC_MUST_PLNTXT 0x20020
546
545
#ifdef CONFIG_CIFS_UPCALL
547
-
#define CIFSSEC_MASK 0x3F03F /* allows weak security but also krb5 */
546
+
#define CIFSSEC_MASK 0xAF0AF /* allows weak security but also krb5 */
548
547
#else
549
-
#define CIFSSEC_MASK 0x37037 /* current flags supported if weak */
548
+
#define CIFSSEC_MASK 0xA70A7 /* current flags supported if weak */
550
549
#endif /* UPCALL */
551
550
#else /* do not allow weak pw hash */
552
551
#ifdef CONFIG_CIFS_UPCALL
553
-
#define CIFSSEC_MASK 0x0F00F /* flags supported if no weak allowed */
552
+
#define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */
554
553
#else
555
-
#define CIFSSEC_MASK 0x07007 /* flags supported if no weak allowed */
554
+
#define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */
556
555
#endif /* UPCALL */
557
556
#endif /* WEAK_PW_HASH */
558
557
#define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */
558
+
#define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */
559
559
560
560
#define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2)
561
561
#define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2)
562
-
#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5)
562
+
#define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP)
563
563
/*
564
564
*****************************************************************
565
565
* All constants go here
+10
fs/cifs/cifssmb.c
+10
fs/cifs/cifssmb.c
···
449
449
cFYI(1, ("Kerberos only mechanism, enable extended security"));
450
450
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
451
451
}
452
+
#ifdef CONFIG_CIFS_EXPERIMENTAL
453
+
else if ((secFlags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP)
454
+
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
455
+
else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_NTLMSSP) {
456
+
cFYI(1, ("NTLMSSP only mechanism, enable extended security"));
457
+
pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC;
458
+
}
459
+
#endif
452
460
453
461
count = 0;
454
462
for (i = 0; i < CIFS_NUM_PROT; i++) {
···
593
585
server->secType = NTLMv2;
594
586
else if (secFlags & CIFSSEC_MAY_KRB5)
595
587
server->secType = Kerberos;
588
+
else if (secFlags & CIFSSEC_MAY_NTLMSSP)
589
+
server->secType = NTLMSSP;
596
590
else if (secFlags & CIFSSEC_MAY_LANMAN)
597
591
server->secType = LANMAN;
598
592
/* #ifdef CONFIG_CIFS_EXPERIMENTAL
+7
fs/cifs/connect.c
+7
fs/cifs/connect.c
···
979
979
return 1;
980
980
} else if (strnicmp(value, "krb5", 4) == 0) {
981
981
vol->secFlg |= CIFSSEC_MAY_KRB5;
982
+
#ifdef CONFIG_CIFS_EXPERIMENTAL
983
+
} else if (strnicmp(value, "ntlmsspi", 8) == 0) {
984
+
vol->secFlg |= CIFSSEC_MAY_NTLMSSP |
985
+
CIFSSEC_MUST_SIGN;
986
+
} else if (strnicmp(value, "ntlmssp", 7) == 0) {
987
+
vol->secFlg |= CIFSSEC_MAY_NTLMSSP;
988
+
#endif
982
989
} else if (strnicmp(value, "ntlmv2i", 7) == 0) {
983
990
vol->secFlg |= CIFSSEC_MAY_NTLMV2 |
984
991
CIFSSEC_MUST_SIGN;