Date: Tue, 27 Nov 2018 14:14:52 -0500 From: Gerard Seibert <gerard@seibercom.net> To: freebsd-arch@freebsd.org Cc: Yuri Pankov <yuripv@yuripv.net>, Edward Napierala <trasz@freebsd.org>, Brooks Davis <brooks@freebsd.org> Subject: Re: Removal or updating of "mount_smbfs" from FreeBSD operating system Message-ID: <20181127141452.000043c7@seibercom.net> In-Reply-To: <20181127171459.GC52968@spindle.one-eyed-alien.net> References: <20181126121926.00007626@seibercom.net> <CAFLM3-o_P3-1sDea-Bgbn0oSjnAqF5RAMTWDgkk6K3819XsMDQ@mail.gmail.com> <a9a10036-9c4c-9aa4-9f64-e34ee8d30e89@yuripv.net> <20181127171459.GC52968@spindle.one-eyed-alien.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, 27 Nov 2018 17:14:59 +0000, Brooks Davis stated: >On Tue, Nov 27, 2018 at 07:55:54PM +0300, Yuri Pankov wrote: >> Edward Napierala wrote: >> > pon., 26 lis 2018 o 17:20 Gerard Seibert <gerard@seibercom.net> >> > napisa??(a): >> >> >> >> TO WHOM IT MAY CONCERN >> >> >> >> The ???SMBv1??? protocol is a security hazard and was depreciated by >> >> Microsoft in 2014. There is virtually no use for it anymore. >> >> >> >> The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which >> >> results in making it useless with newer versions of Microsoft???s >> >> operating systems, as well as other OS???s that have depreciated the >> >> use of SMBv1. >> >> >> >> I would like to suggest that FreeBSD do one of the following: >> >> >> >> 1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in >> >> versions 12.1 or 13. It is perhaps too late to get into FreeBSD 12. >> >> >> >> 2) Update ???mount_smbfs??? so that it is compatible with versions >> >> SMBv3 and greater. While "SMBv2" is not dead, it is definitely >> >> comatose. This would be a better idea if someone had the time to do >> >> it. >> > >> > FWIW, I believe SMBv3 is just a set of (largely optional) extensions to >> > SMBv2, not an entirely different protocol, like SMBv1 is. Which means, >> > any version that supports v3 is likely to also handle v2. >> > >> > There seems to be existing, working code in Nexenta, which is being >> > upstreamed to Illumos: >> > >> > https://www.illumos.org/issues/9735 >> > https://github.com/illumos/illumos-gate/pull/37 >> > >> > Their implementation descends from the one we have in base (and the one >> > from OSX, which also descends from FreeBSD), so it should be possible to >> > merge it. >> >> Yes, we have it working and tested pretty well. And that's exactly the >> reason I was asking if there's work in progress for smb2/3 client or not >> before even starting looking into porting the code. >> >> The problem here is that the code has grown library dependencies which >> are CDDL-licensed, which aren't easy to break (if at all), so if ported, >> it will be covered by WITHOUT_CDDL; hopefully that's acceptable. It's >> possible that Nexenta-authored code could be relicensed under BSDL (I'll >> have to ask, we already have a precedent with localedef), but sadly that >> doesn't cover everything. > >I think making this CDDL is fine. Certaintly better than failing to >support SMBv2/v3. > >-- Brooks SEE: https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.1.1 Particularly the section dealing with SMBv3.11. That is now the default in Win 10. It makes no sense to not support the latest version available. In fact, it would be counter-productive. SMB 3.1.1 was introduced with Windows 10 and Windows Server 2016. This version supports AES 128 GCM encryption in addition to AES 128 CCM encryption added in SMB3, and implements pre-authentication integrity check using SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when connecting to clients using SMB 2.x and higher. -- Gerard
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20181127141452.000043c7>