[PATCH] cifs: eliminate CONFIG_CIFS_WEAK_PW_HASH
idra at samba.org
Sat Jan 21 10:26:43 MST 2012
On Sat, 2012-01-21 at 07:37 -0500, Jeff Layton wrote:
> On Sat, 21 Jan 2012 15:03:31 +1100
> Andrew Bartlett <abartlet at samba.org> wrote:
> > On Fri, 2012-01-20 at 14:45 -0600, Steve French wrote:
> > > My general thinking on this is as follows:
> > >
> > > If the kernel is distributed to all the workstations in an organization
> > > with this Kconfig option disabled, it makes it harder for individual users
> > > to make the mistake of enabling lanman (sec=lanman, or the Kconfig
> > > option) on a public network and thus send weak password hashes
> > > which could be discovered simply. Most distros make the choice
> > > of enabling broader compatibility with old pre-1997 servers but
> > > it is a very small set of servers who would require lanman support,
> > > and a large number of potential attackers who could benefit if
> > > users enable lanman on a public network. I suspect that there
> > > are environments where removing code (via Kconfig) is preferred
> > > to trusting all owners of all workstations running that organizations
> > > standard linux to never enable lanman at runtime.
> > >
> > > But ... the opinion of security specialists on this would be welcome.
> > We have been though some of this with the kerberos libs, which now allow
> > (default?) to not even compile with weak crypto. If the weak crypto is
> > not compiled in, it can therefore be asserted that the weak crypto
> > cannot be used, and this makes it easier to comply with security
> > audits/certification etc.
> > I don't want to make your code more complex than it needs to be, but LM
> > encryption really, really needs to go away. If it is not a major
> > bother, I would like to make it easier for that to happen if possible.
> The only way for it to go away completely is for all servers that
> support only that encryption to go away completely. Unfortunately,
> that's a tall order -- there are still at least some in the field and
> people need to get at data on them.
Jeff, can you identify them ?
LM only servers means pre Win 95 machines, I'd be curious to know what
servers are there that really support only LM hashes and not NT hashes.
Samba Team GPL Compliance Officer <simo at samba.org>
Principal Software Engineer at Red Hat, Inc. <simo at redhat.com>
More information about the samba-technical