[PATCH]: mount.cifs: Allows passwords of length upto 127 bytes

Andrew Bartlett abartlet at samba.org
Thu Feb 28 06:21:09 GMT 2008


On Thu, 2008-02-28 at 11:54 +0530, Suresh Jayaraman wrote:
> Andrew Bartlett wrote:
> > On Wed, 2008-02-27 at 23:14 +0530, Suresh Jayaraman wrote:
> 
> >>
> >> However, the Windows versions above Windows 98 (Windows 2000, XP and
> >> above including Samba), support passwords up to 127 characters. NTLM
> >> passwords are limited only in GUI
> > 
> > Only in the GUI on NT4 as I understand it. 
> 
> Yes, only in NT4.
>  
> >> The above patch was already discussed in linux-cifs-client mailing
> >> list. But, Steve was little unsure about the associated kernel patch
> >> which adds a kernel warning if the length exceeds. Re-posting the 
> >> mount.cifs patch alone (Ccing samba-technical as well).
> > 
> > It seems entirely reasonable not to have any limit here, except to
> > prevent abuse.  If MD4 can handle it, then it's a valid password.  
> > 
> > If you were so silly as to force lanman encryption with the long
> > password, only the first 14 DOS bytes would be used, so Samba just
> > disables that weak encryption in this case (as it makes no sense). 
> > 
> 
> Exactly. This was why the kernel patch posted along with this in previous
> try, added a warning (but still allows mount to proceed) like the one
> below:
> 
> @@ -988,6 +988,9 @@ cifs_parse_mount_options(char *options, const char *devname,
>  				vol->secFlg |= CIFSSEC_MAY_NTLMV2;
>  #ifdef CONFIG_CIFS_WEAK_PW_HASH
>  			} else if (strnicmp(value, "lanman", 6) == 0) {
> +				if (strnlen(vol->password, 15) >= 15)
> +					printk(KERN_WARNING "CIFS: password "
> +					       "longer than 14, truncated\n");
>  				vol->secFlg |= CIFSSEC_MAY_LANMAN;
>  #endif
> 
> However, Steve French wrote:
> 
> >> I have mixed feelings about giving any information on the password
> >> length, but I agree that mount.cifs should not restrict it.
> 
> I'm wondering whether the right thing to do here is to warn the user about
> this or just be silent and don't provide any information on password length.
> 
> Would appreciate any inputs, suggestions. 

I would not mention it.  Samba's utilities have never mentioned it, and
nobody has ever had a problem.  If you have successfully set a long
password, then clearly you are not using a server that has this
restriction, and the 'lanman' option should be ignored. 

Sending the truncated password is a security risk - Samba and Windows
servers do not store the truncated password, and it only risks
disclosing those first 14 characters.

Andrew Bartlett

-- 
Andrew Bartlett
http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org
Samba Developer, Red Hat Inc.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20080228/f2b509e7/attachment.bin


More information about the samba-technical mailing list