From: Andrew Bartlett <abartlet@samba.org>
To: Jeff Layton <jlayton@samba.org>
Cc: Martin Wilck <martin.wilck@ts.fujitsu.com>,
linux-cifs@vger.kernel.org, samba-technical@lists.samba.org,
Martin Wilck <mwilck@arcor.de>
Subject: Re: [RFC/PATCH] cifs.upcall: use kernel.provided principal name if available
Date: Thu, 08 Sep 2011 07:42:46 +1000 [thread overview]
Message-ID: <1315431768.22110.4.camel@obed> (raw)
In-Reply-To: <20110907090321.2196de8f@tlielax.poochiereds.net>
On Wed, 2011-09-07 at 09:03 -0400, Jeff Layton wrote:
> On Wed, 07 Sep 2011 11:46:23 +0200
> Martin Wilck <martin.wilck@ts.fujitsu.com> wrote:
>
> > Hi Jeff,
> >
> > thanks for reviewing this.
> >
> > > I'm not opposed to adding this with appropriate warnings about the
> > > danger involved.
> > >
> > > Trusting the SPN provided in the NEGOTIATE response waters down much of
> > > the security that Kerberos provides. Granted, cifs doesn't currently do
> > > mutual auth, but if it did, using this would make it pretty useless.
> >
> > Please help me understand - is this functionality any different from
> > smbclient's? If yes, what do I need to change? If no, smbclient users
> > will suffer from the same security risk (I see that a mounted file
> > system is a higher risk than a process like smbclient).
> >
> > Is there any way to do this more securely?
> >
> > > It would probably be a good idea to clearly warn that an attacker can
> > > use this in order to trick the client into mounting a server of his
> > > choosing (providing he can redirect the traffic to that server too).
> >
> > I'm will happily add a warning if you tell me where you'd like to have
> > it - in the man page, or in the kernel logs, or in the cifs.upcall log?
> >
> > Regards
> > Martin
> >
>
> (re-cc'ing linux-cifs and cc'ing samba-technical)
>
> We've discussed this on the list many times before, but the most
> comprehensive discussion is here. I recommend reading over that as it
> explains the problems in detail:
>
> http://lists.samba.org/archive/linux-cifs-client/2008-August/003348.html
>
> Really, the best answer is not to rely on this. Windows clients never
> have, and recent windows servers don't even populate the field.
>
> smbclient does, but support for that was added long ago. It should
> probably be removed as Andrew suggested in the above thread, or
> perhaps made conditional on a new smb.conf option that defaults to
> being off.
Samba 3.5 (latest release) and Samba 3.6 now default to the
server-provided SPN being untrusted and unused. Samba 3.6 also does not
send it by default. No new software should start using this principal,
and now all modern servers will not send it.
Please do not introduce this security hole into new software. The only
reason that Samba continues to have optional support for this at all is
in deference to possible legacy users.
Andrew Bartlett
--
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
next prev parent reply other threads:[~2011-09-07 21:42 UTC|newest]
Thread overview: 23+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-09-06 15:21 [RFC/PATCH] cifs: add server-provided principal name in upcall Martin Wilck
[not found] ` <1315322512-10652-1-git-send-email-martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-06 15:26 ` [RFC/PATCH] cifs.upcall: use kernel.provided principal name if available Martin Wilck
[not found] ` <1315322794-10725-1-git-send-email-martin.wilck-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-06 16:10 ` Jeff Layton
[not found] ` <4E673D6F.90606@ts.fujitsu.com>
2011-09-07 13:03 ` Jeff Layton
2011-09-07 21:42 ` Andrew Bartlett [this message]
2011-09-08 7:23 ` Martin Wilck
[not found] ` <4E686D69.9090503-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08 7:39 ` Andrew Bartlett
2011-09-08 12:53 ` Martin Wilck
[not found] ` <4E68BACD.2020403-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08 12:59 ` simo
2011-09-08 13:01 ` Andrew Bartlett
2011-09-08 13:13 ` Martin Wilck
[not found] ` <4E68BF73.2090707-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-08 13:23 ` simo
2011-09-08 13:23 ` Andrew Bartlett
2011-09-08 14:54 ` Jeff Layton
[not found] ` <4E68EEAE.2090102@ts.fujitsu.com>
[not found] ` <4E68EEAE.2090102-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-09 13:37 ` Jeff Layton
2011-09-12 9:01 ` Martin Wilck
[not found] ` <4E6DCA86.8020707-RJz4owOZxyXQFUHtdCDX3A@public.gmane.org>
2011-09-12 13:41 ` Jeff Layton
[not found] ` <20110912094114.4e7f2b8e-4QP7MXygkU+dMjc06nkz3ljfA9RmPOcC@public.gmane.org>
2011-09-12 14:00 ` simo
2011-09-12 23:23 ` Andrew Bartlett
2011-09-13 11:01 ` Martin Wilck
2011-09-08 13:31 ` Jeff Layton
2011-09-07 22:18 ` Steve French
2011-09-06 16:16 ` [RFC/PATCH] cifs: add server-provided principal name in upcall Jeff Layton
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1315431768.22110.4.camel@obed \
--to=abartlet@samba.org \
--cc=jlayton@samba.org \
--cc=linux-cifs@vger.kernel.org \
--cc=martin.wilck@ts.fujitsu.com \
--cc=mwilck@arcor.de \
--cc=samba-technical@lists.samba.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox