diff options
author | Ronnie Sahlberg <lsahlber@redhat.com> | 2021-08-19 20:34:58 +1000 |
---|---|---|
committer | Steve French <stfrench@microsoft.com> | 2021-08-25 15:47:06 -0500 |
commit | 76a3c92ec9e0668e4cd0e9ff1782eb68f61a179c (patch) | |
tree | 2752bdbe04490c905d11411b2fc31ff2ab3deb7a /fs/cifs/Kconfig | |
parent | 18d04062f83b3eedb64e9f64ede26ee83ae7f152 (diff) |
cifs: remove support for NTLM and weaker authentication algorithms
for SMB1.
This removes the dependency to DES.
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Diffstat (limited to 'fs/cifs/Kconfig')
-rw-r--r-- | fs/cifs/Kconfig | 28 |
1 files changed, 0 insertions, 28 deletions
diff --git a/fs/cifs/Kconfig b/fs/cifs/Kconfig index 7364950a9ef4..2e8b132efdbc 100644 --- a/fs/cifs/Kconfig +++ b/fs/cifs/Kconfig @@ -16,7 +16,6 @@ config CIFS select CRYPTO_GCM select CRYPTO_ECB select CRYPTO_AES - select CRYPTO_LIB_DES select KEYS select DNS_RESOLVER select ASN1 @@ -85,33 +84,6 @@ config CIFS_ALLOW_INSECURE_LEGACY If unsure, say Y. -config CIFS_WEAK_PW_HASH - bool "Support legacy servers which use weaker LANMAN security" - depends on CIFS && CIFS_ALLOW_INSECURE_LEGACY - help - Modern CIFS servers including Samba and most Windows versions - (since 1997) support stronger NTLM (and even NTLMv2 and Kerberos) - security mechanisms. These hash the password more securely - than the mechanisms used in the older LANMAN version of the - SMB protocol but LANMAN based authentication is needed to - establish sessions with some old SMB servers. - - Enabling this option allows the cifs module to mount to older - LANMAN based servers such as OS/2 and Windows 95, but such - mounts may be less secure than mounts using NTLM or more recent - security mechanisms if you are on a public network. Unless you - have a need to access old SMB servers (and are on a private - network) you probably want to say N. Even if this support - is enabled in the kernel build, LANMAN authentication will not be - used automatically. At runtime LANMAN mounts are disabled but - can be set to required (or optional) either in - /proc/fs/cifs (see Documentation/admin-guide/cifs/usage.rst for - more detail) or via an option on the mount command. This support - is disabled by default in order to reduce the possibility of a - downgrade attack. - - If unsure, say N. - config CIFS_UPCALL bool "Kerberos/SPNEGO advanced session setup" depends on CIFS |