commit ac68392460ffefed13020967bae04edc4d3add06 · tjh.dev/kernel

tjh.dev / kernel

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

[CIFS] Allow raw ntlmssp code to be enabled with sec=ntlmssp

On mount, "sec=ntlmssp" can now be specified to allow
"rawntlmssp" security to be enabled during
CIFS session establishment/authentication (ntlmssp used to
require specifying krb5 which was counterintuitive).

Signed-off-by: Steve French <sfrench@us.ibm.com>

Steve French 16 years ago ac683924 844823cb

+35 -8

4 changed files

expand all

unified split

cifs

README

cifsglob.h

cifssmb.c

connect.c

+9 -1

fs/cifs/README

··· 651 signing turned on in case buffer was modified 652 just before it was sent, also this flag will 653 be used to use the new experimental directory change 654 - notification code). 655 656 These experimental features and tracing can be enabled by changing flags in 657 /proc/fs/cifs (after the cifs module has been installed or built into the

··· 651 signing turned on in case buffer was modified 652 just before it was sent, also this flag will 653 be used to use the new experimental directory change 654 + notification code). When set to 2 enables 655 + an additional experimental feature, "raw ntlmssp" 656 + session establishment support (which allows 657 + specifying "sec=ntlmssp" on mount). The Linux cifs 658 + module will use ntlmv2 authentication encapsulated 659 + in "raw ntlmssp" (not using SPNEGO) when 660 + "sec=ntlmssp" is specified on mount. 661 + This support also requires building cifs with 662 + the CONFIG_CIFS_EXPERIMENTAL configuration flag. 663 664 These experimental features and tracing can be enabled by changing flags in 665 /proc/fs/cifs (after the cifs module has been installed or built into the

+9 -7

fs/cifs/cifsglob.h

··· 82 LANMAN, /* Legacy LANMAN auth */ 83 NTLM, /* Legacy NTLM012 auth with NTLM hash */ 84 NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ 85 - RawNTLMSSP, /* NTLMSSP without SPNEGO */ 86 - NTLMSSP, /* NTLMSSP via SPNEGO */ 87 Kerberos, /* Kerberos via SPNEGO */ 88 MSKerberos, /* MS Kerberos via SPNEGO */ 89 }; ··· 531 #define CIFSSEC_MAY_PLNTXT 0 532 #endif /* weak passwords */ 533 #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ 534 535 #define CIFSSEC_MUST_SIGN 0x01001 536 /* note that only one of the following can be set so the ··· 544 #define CIFSSEC_MUST_LANMAN 0x10010 545 #define CIFSSEC_MUST_PLNTXT 0x20020 546 #ifdef CONFIG_CIFS_UPCALL 547 - #define CIFSSEC_MASK 0x3F03F /* allows weak security but also krb5 */ 548 #else 549 - #define CIFSSEC_MASK 0x37037 /* current flags supported if weak */ 550 #endif /* UPCALL */ 551 #else /* do not allow weak pw hash */ 552 #ifdef CONFIG_CIFS_UPCALL 553 - #define CIFSSEC_MASK 0x0F00F /* flags supported if no weak allowed */ 554 #else 555 - #define CIFSSEC_MASK 0x07007 /* flags supported if no weak allowed */ 556 #endif /* UPCALL */ 557 #endif /* WEAK_PW_HASH */ 558 #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ 559 560 #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2) 561 #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) 562 - #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5) 563 /* 564 ***************************************************************** 565 * All constants go here

··· 82 LANMAN, /* Legacy LANMAN auth */ 83 NTLM, /* Legacy NTLM012 auth with NTLM hash */ 84 NTLMv2, /* Legacy NTLM auth with NTLMv2 hash */ 85 + RawNTLMSSP, /* NTLMSSP without SPNEGO, NTLMv2 hash */ 86 + NTLMSSP, /* NTLMSSP via SPNEGO, NTLMv2 hash */ 87 Kerberos, /* Kerberos via SPNEGO */ 88 MSKerberos, /* MS Kerberos via SPNEGO */ 89 }; ··· 531 #define CIFSSEC_MAY_PLNTXT 0 532 #endif /* weak passwords */ 533 #define CIFSSEC_MAY_SEAL 0x00040 /* not supported yet */ 534 + #define CIFSSEC_MAY_NTLMSSP 0x00080 /* raw ntlmssp with ntlmv2 */ 535 536 #define CIFSSEC_MUST_SIGN 0x01001 537 /* note that only one of the following can be set so the ··· 543 #define CIFSSEC_MUST_LANMAN 0x10010 544 #define CIFSSEC_MUST_PLNTXT 0x20020 545 #ifdef CONFIG_CIFS_UPCALL 546 + #define CIFSSEC_MASK 0xAF0AF /* allows weak security but also krb5 */ 547 #else 548 + #define CIFSSEC_MASK 0xA70A7 /* current flags supported if weak */ 549 #endif /* UPCALL */ 550 #else /* do not allow weak pw hash */ 551 #ifdef CONFIG_CIFS_UPCALL 552 + #define CIFSSEC_MASK 0x8F08F /* flags supported if no weak allowed */ 553 #else 554 + #define CIFSSEC_MASK 0x87087 /* flags supported if no weak allowed */ 555 #endif /* UPCALL */ 556 #endif /* WEAK_PW_HASH */ 557 #define CIFSSEC_MUST_SEAL 0x40040 /* not supported yet */ 558 + #define CIFSSEC_MUST_NTLMSSP 0x80080 /* raw ntlmssp with ntlmv2 */ 559 560 #define CIFSSEC_DEF (CIFSSEC_MAY_SIGN | CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2) 561 #define CIFSSEC_MAX (CIFSSEC_MUST_SIGN | CIFSSEC_MUST_NTLMV2) 562 + #define CIFSSEC_AUTH_MASK (CIFSSEC_MAY_NTLM | CIFSSEC_MAY_NTLMV2 | CIFSSEC_MAY_LANMAN | CIFSSEC_MAY_PLNTXT | CIFSSEC_MAY_KRB5 | CIFSSEC_MAY_NTLMSSP) 563 /* 564 ***************************************************************** 565 * All constants go here

+10

fs/cifs/cifssmb.c

··· 449 cFYI(1, ("Kerberos only mechanism, enable extended security")); 450 pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; 451 } 452 453 count = 0; 454 for (i = 0; i < CIFS_NUM_PROT; i++) { ··· 593 server->secType = NTLMv2; 594 else if (secFlags & CIFSSEC_MAY_KRB5) 595 server->secType = Kerberos; 596 else if (secFlags & CIFSSEC_MAY_LANMAN) 597 server->secType = LANMAN; 598 /* #ifdef CONFIG_CIFS_EXPERIMENTAL

··· 449 cFYI(1, ("Kerberos only mechanism, enable extended security")); 450 pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; 451 } 452 + #ifdef CONFIG_CIFS_EXPERIMENTAL 453 + else if ((secFlags & CIFSSEC_MUST_NTLMSSP) == CIFSSEC_MUST_NTLMSSP) 454 + pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; 455 + else if ((secFlags & CIFSSEC_AUTH_MASK) == CIFSSEC_MAY_NTLMSSP) { 456 + cFYI(1, ("NTLMSSP only mechanism, enable extended security")); 457 + pSMB->hdr.Flags2 |= SMBFLG2_EXT_SEC; 458 + } 459 + #endif 460 461 count = 0; 462 for (i = 0; i < CIFS_NUM_PROT; i++) { ··· 585 server->secType = NTLMv2; 586 else if (secFlags & CIFSSEC_MAY_KRB5) 587 server->secType = Kerberos; 588 + else if (secFlags & CIFSSEC_MAY_NTLMSSP) 589 + server->secType = NTLMSSP; 590 else if (secFlags & CIFSSEC_MAY_LANMAN) 591 server->secType = LANMAN; 592 /* #ifdef CONFIG_CIFS_EXPERIMENTAL

fs/cifs/connect.c

··· 979 return 1; 980 } else if (strnicmp(value, "krb5", 4) == 0) { 981 vol->secFlg |= CIFSSEC_MAY_KRB5; 982 } else if (strnicmp(value, "ntlmv2i", 7) == 0) { 983 vol->secFlg |= CIFSSEC_MAY_NTLMV2 | 984 CIFSSEC_MUST_SIGN;

··· 979 return 1; 980 } else if (strnicmp(value, "krb5", 4) == 0) { 981 vol->secFlg |= CIFSSEC_MAY_KRB5; 982 + #ifdef CONFIG_CIFS_EXPERIMENTAL 983 + } else if (strnicmp(value, "ntlmsspi", 8) == 0) { 984 + vol->secFlg |= CIFSSEC_MAY_NTLMSSP | 985 + CIFSSEC_MUST_SIGN; 986 + } else if (strnicmp(value, "ntlmssp", 7) == 0) { 987 + vol->secFlg |= CIFSSEC_MAY_NTLMSSP; 988 + #endif 989 } else if (strnicmp(value, "ntlmv2i", 7) == 0) { 990 vol->secFlg |= CIFSSEC_MAY_NTLMV2 | 991 CIFSSEC_MUST_SIGN;