[linux-cifs-client] Re: Plaintext password exchange with the kernel
cifs module
Steven French
sfrench at us.ibm.com
Mon Feb 13 16:23:25 GMT 2006
> decided to go only the plaintext password way. I tested my server with
the
> smb kernel module an it worked (at least the password part). Now I wanted
> to test the server with the cifs kernel module and I observed, that the
> server receives always a somewhat encrypted password (I think it gets
> encrypted with SMBencrypt(), because I receive a 24 byte value. The
> server correctly sends 0x01 as security mode in the Negotiate message).
> I saw that you did a lot of work for the cifs module so I decided to
> ask you directly if it is intended that the module sends an encrypted
> pwd even if the server requested a plaintext pwd.
It would be very easy to support.
I decided to turn off plain text passwords (and lanman passwords) as they
are so insecure and users might not realize when a rogue server would be
"downgraded" to force plain text from the client (or very weak passwords).
I don't know if that is the right decision - I am second guessing that
since lanman hash is necessary for finish up of support for os/2 and
windows 95 and there are some valid cases in which the physical network is
secure and plain text passwords to the server might be ok. Perhaps the
best alternative is add a
CONFIG_WEAK_PASSWORDS
in make menuconfig, and put the lanman and plain text password support in
that ifdef (mostly in fs/cifs/connect.c, although I have been toying with a
new ntlmssp.c which might contain a session setup rewrite - as session
setup for cifs is verbose and could use cleaning up as well as the needed
fixes for ntlmv2). In addition if "CONFIG_WEAK_PASSWORDS" is set, cifs
could export a /proc/fs/cifs/AllowWeakPasswords which would default to one
(perhaps set to zero would mean NTLMv2 or Kerberos only, since NTLMv2 is
close to complete although Kerberos is not, set to one would indicate allow
ntlm or ntlmv2 or kerberos, two would indicate allow lanman or ntlmv or
ntlmv2 or kerveros, 3 would be allow plain text etc.)
Thoughts?
Steve French
Senior Software Engineer
Linux Technology Center - IBM Austin
phone: 512-838-2294
email: sfrench at-sign us dot ibm dot com
-------------- next part --------------
HTML attachment scrubbed and removed
More information about the linux-cifs-client
mailing list