[PATCH] cifs: eliminate CONFIG_CIFS_WEAK_PW_HASH
Steve French
smfrench at gmail.com
Fri Apr 27 07:58:55 MDT 2012
On Fri, Apr 27, 2012 at 6:15 AM, Jeff Layton <jlayton at redhat.com> wrote:
> On Sat, 21 Jan 2012 12:26:43 -0500
> simo <idra at samba.org> wrote:
>
>> On Sat, 2012-01-21 at 07:37 -0500, Jeff Layton wrote:
>> > On Sat, 21 Jan 2012 15:03:31 +1100
>> > Andrew Bartlett <abartlet at samba.org> wrote:
>> >
>> > > On Fri, 2012-01-20 at 14:45 -0600, Steve French wrote:
>> > > > My general thinking on this is as follows:
>> > > >
>> > > > If the kernel is distributed to all the workstations in an organization
>> > > > with this Kconfig option disabled, it makes it harder for individual users
>> > > > to make the mistake of enabling lanman (sec=lanman, or the Kconfig
>> > > > option) on a public network and thus send weak password hashes
>> > > > which could be discovered simply. Most distros make the choice
>> > > > of enabling broader compatibility with old pre-1997 servers but
>> > > > it is a very small set of servers who would require lanman support,
>> > > > and a large number of potential attackers who could benefit if
>> > > > users enable lanman on a public network. I suspect that there
>> > > > are environments where removing code (via Kconfig) is preferred
>> > > > to trusting all owners of all workstations running that organizations
>> > > > standard linux to never enable lanman at runtime.
>> > > >
>> > > > But ... the opinion of security specialists on this would be welcome.
>> > >
>> > > We have been though some of this with the kerberos libs, which now allow
>> > > (default?) to not even compile with weak crypto. If the weak crypto is
>> > > not compiled in, it can therefore be asserted that the weak crypto
>> > > cannot be used, and this makes it easier to comply with security
>> > > audits/certification etc.
>> > >
>> > > I don't want to make your code more complex than it needs to be, but LM
>> > > encryption really, really needs to go away. If it is not a major
>> > > bother, I would like to make it easier for that to happen if possible.
>> > >
>> >
>> > The only way for it to go away completely is for all servers that
>> > support only that encryption to go away completely. Unfortunately,
>> > that's a tall order -- there are still at least some in the field and
>> > people need to get at data on them.
>>
>> Jeff, can you identify them ?
>>
>> LM only servers means pre Win 95 machines, I'd be curious to know what
>> servers are there that really support only LM hashes and not NT hashes.
>>
>
> Sorry for the long delay in responding here. Yes, mostly pre-win95
> machines. We occasionally get reports from people using OS/2 and I'm
> pretty sure it's LM-only.
>
> Steve, in any case...shall I consider this patch NAK'ed for now? I was
> carrying it in my tree for 3.5, but it seems like there's resistance to
> removing this option and I'm not particularly religious on the matter.
I don't think it is worth changing - I prefer to build with
WEAK_PS_HASH disabled.
--
Thanks,
Steve
More information about the samba-technical
mailing list