[linux-cifs-client] [PATCH 09/11] cifs: allow mixed secTypes on a socket

Steve French smfrench at gmail.com
Thu May 6 16:29:17 MDT 2010 

On Sat, Apr 24, 2010 at 6:57 AM, Jeff Layton <jlayton at redhat.com> wrote:

> Allow secType to be set on a per-session basis. This allows us to mix
> secTypes on a single socket. Also, add a "sign" bool to cifsSesInfo
> and determine whether signing should be enabled at session setup
> time.
>
>  enum securityEnum {
> -       PLAINTXT = 0,           /* Legacy with Plaintext passwords */
> +       Undefined = 0,          /* Uninitialized */
> +       Anonymous,              /* Anonymous login */
> +       Plaintext,              /* Legacy with plaintext passwords */
>        LANMAN,                 /* Legacy LANMAN auth */
>        NTLM,                   /* Legacy NTLM012 auth with NTLM hash */
>        NTLMv2,                 /* Legacy NTLM auth with NTLMv2 hash */
> -       RawNTLMSSP,             /* NTLMSSP without SPNEGO, NTLMv2 hash */
> -/*     NTLMSSP, */ /* can use rawNTLMSSP instead of NTLMSSP via SPNEGO */
> +       NTLMSSP,                /* NTLMSSP, NTLMv1 hash */
>        Kerberos,               /* Kerberos via SPNEGO */
>  };
>
>
I like how this adds anonymous, and starts that with 1 rather than 0 - makes
sense.

> @@ -978,42 +978,39 @@ cifs_parse_mount_options(char *options, const char
> *devname,
>                                cERROR(1, "no security value specified");
>                                continue;
>                        } else if (strnicmp(value, "krb5i", 5) == 0) {
> -                               vol->secFlg |= CIFSSEC_MAY_KRB5 |
> -                                       CIFSSEC_MUST_SIGN;
> +                               vol->sectype = Kerberos;
> +                               vol->sign = true;
>                        } else if (strnicmp(value, "krb5p", 5) == 0) {
> -                               /* vol->secFlg |= CIFSSEC_MUST_SEAL |
> -                                       CIFSSEC_MAY_KRB5; */
>                                cERROR(1, "Krb5 cifs privacy not
> supported");
>                                return 1;
>                        } else if (strnicmp(value, "krb5", 4) == 0) {
> -                               vol->secFlg |= CIFSSEC_MAY_KRB5;
> +                               vol->sectype = Kerberos;
>


Doesn't this change behavior a lot - user can no longer pass in a list of
more than one acceptable security options as before (e.g. sec=krb5,
sec=ntlmv2i)
and can only specify one (but doesn't know ahead of time which the server
supports).

Also curious if it changed how plaintext was handled (if build with weak
password support allowed, which I don't want to encourage) - IIRC we sent
this via the older (LANMAN only) style session setup.


-- 
Thanks,

Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/linux-cifs-client/attachments/20100506/9864b680/attachment.html>

More information about the linux-cifs-client mailing list