PROPOSAL: deprecate plaintext password support (in SMB1) for 4.11?

Andrew Bartlett abartlet at samba.org
Wed Sep 4 18:34:49 UTC 2019 

On Wed, 2019-09-04 at 08:54 -0700, Jeremy Allison via samba-technical
wrote:
> On Wed, Sep 04, 2019 at 12:58:25PM +0200, Stefan Metzmacher via samba-technical wrote:
> > Hi Andrew,
> > 
> > > It is quite late for Samba 4.11 but I wondered what folks would think
> > > of marking 'encrypt passwords' as deprecated so we can consider to
> > > remove this code in Samba 4.12 (eg master) later this year?
> > > 
> > > This would dovetail with the SMB1 deprecation effort and I hope also
> > > help find users who can't live without this (because SMB2 doesn't have
> > > this at all).  
> > > 
> > > I'm unclear if this even works, given bugs like:
> > > https://bugzilla.samba.org/show_bug.cgi?id=9705
> > > 
> > > If this is supported I'll polish up the attached patch and then write a
> > > WHATSNEW for 4.11.
> > 
> > I don't see an attached patch, but I like the idea of deprecating
> > plaintext passwords,
> 
> +1 on removing the plaintext password code.
> 
> > maybe we should also deprecate lanman auth
> > and ntlmv1, we may not go on and remove them before SMB1, but
> > people should avoid them.
> > 
> > > It doesn't commit us to doing anything in master / 4.12 (and we might
> > > want to wait till closer to the end of the year for feedback), but I
> > > took a stab at seeing what it might allow us to remove and this was the
> > > diffstat (and there is probably more if we tried):
> > 
> > For now just mark them as deprecated and defer the removal decision.
> 
> +1 on deprecate lanman auth and ntlmv1, but we can't
> remove I think until SMB1 is removed.

OK, sorry for my late-night patch non-attachment.  I think my mail
client even prompted me!  Oops.

I'll write up something similar for lanman auth.  NTLMv1 will be with
us a long time due to MSCHAPv2 sadly, but I'll see about some stern
words.

Thanks for the support.  I agree actually decisions come a long time
later, after we asses the feedback.  We might not even hear from real
users before 4.12 branches off given how long it takes folks to
actually start using new Samba versions. 

Andrew Bartlett
-- 
Andrew Bartlett                       http://samba.org/~abartlet/
Authentication Developer, Samba Team  http://samba.org
Samba Developer, Catalyst IT          http://catalyst.net.nz/services/samba

-------------- next part --------------
A non-text attachment was scrubbed...
Name: encrypt-passwords.patch
Type: text/x-patch
Size: 1371 bytes
Desc: not available
URL: <http://lists.samba.org/pipermail/samba-technical/attachments/20190905/a1bf6c49/encrypt-passwords.bin>

More information about the samba-technical mailing list