diff options
author | Steve French <stfrench@microsoft.com> | 2018-06-19 14:34:08 -0500 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2019-01-26 09:37:07 +0100 |
commit | bfbd7e95b6b531d159c0e9615e04f8320ff21487 (patch) | |
tree | bccd0cc757795fa19c7d10c08452c92fe52887ef /fs/cifs/Kconfig | |
parent | de616eb216055ed367c7ecda073d8e8b9fb90a81 (diff) |
cifs: allow disabling insecure dialects in the config
commit 7420451f6a109f7f8f1bf283f34d08eba3259fb3 upstream.
allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the
config for the build of cifs.ko if want to always prevent mounting
with these less secure dialects.
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Aurelien Aptel <aaptel@suse.com>
Reviewed-by: Jeremy Allison <jra@samba.org>
Cc: Alakesh Haloi <alakeshh@amazon.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Diffstat (limited to 'fs/cifs/Kconfig')
-rw-r--r-- | fs/cifs/Kconfig | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig index 7b95e7971d18..a78c4133724c 100644 --- a/fs/cifs/Kconfig +++ b/fs/cifs/Kconfig @@ -66,9 +66,24 @@ config CIFS_STATS2 Unless you are a developer or are doing network performance analysis or tuning, say N. +config CIFS_ALLOW_INSECURE_LEGACY + bool "Support legacy servers which use less secure dialects" + depends on CIFS + default y + help + Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have + additional security features, including protection against + man-in-the-middle attacks and stronger crypto hashes, so the use + of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged. + + Disabling this option prevents users from using vers=1.0 or vers=2.0 + on mounts with cifs.ko + + If unsure, say Y. + config CIFS_WEAK_PW_HASH bool "Support legacy servers which use weaker LANMAN security" - depends on CIFS + depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY help Modern CIFS servers including Samba and most Windows versions (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) |