summaryrefslogtreecommitdiffstats
path: root/fs/cifs/Kconfig
diff options
context:
space:
mode:
authorSteve French <stfrench@microsoft.com>2018-06-19 21:34:08 +0200
committerSteve French <stfrench@microsoft.com>2018-08-07 21:15:41 +0200
commit7420451f6a109f7f8f1bf283f34d08eba3259fb3 (patch)
treecdaf7f33cae4b08c32c6d6baae5dfa0dcfe32121 /fs/cifs/Kconfig
parentsmb3: if server does not support posix do not allow posix mount option (diff)
downloadlinux-7420451f6a109f7f8f1bf283f34d08eba3259fb3.tar.xz
linux-7420451f6a109f7f8f1bf283f34d08eba3259fb3.zip
cifs: allow disabling insecure dialects in the config
allow disabling cifs (SMB1 ie vers=1.0) and vers=2.0 in the config for the build of cifs.ko if want to always prevent mounting with these less secure dialects. Signed-off-by: Steve French <stfrench@microsoft.com> Reviewed-by: Aurelien Aptel <aaptel@suse.com> Reviewed-by: Jeremy Allison <jra@samba.org>
Diffstat (limited to 'fs/cifs/Kconfig')
-rw-r--r--fs/cifs/Kconfig17
1 files changed, 16 insertions, 1 deletions
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig
index 5f132d59dfc2..832eafbf803f 100644
--- a/fs/cifs/Kconfig
+++ b/fs/cifs/Kconfig
@@ -66,9 +66,24 @@ config CIFS_STATS2
Unless you are a developer or are doing network performance analysis
or tuning, say N.
+config CIFS_ALLOW_INSECURE_LEGACY
+ bool "Support legacy servers which use less secure dialects"
+ depends on CIFS
+ default y
+ help
+ Modern dialects, SMB2.1 and later (including SMB3 and 3.1.1), have
+ additional security features, including protection against
+ man-in-the-middle attacks and stronger crypto hashes, so the use
+ of legacy dialects (SMB1/CIFS and SMB2.0) is discouraged.
+
+ Disabling this option prevents users from using vers=1.0 or vers=2.0
+ on mounts with cifs.ko
+
+ If unsure, say Y.
+
config CIFS_WEAK_PW_HASH
bool "Support legacy servers which use weaker LANMAN security"
- depends on CIFS
+ depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY
help
Modern CIFS servers including Samba and most Windows versions
(since 1997) support stronger NTLM (and even NTLMv2 and Kerberos)