[cifs-discuss] CIFS Client signing, policy options - helpful?

Fri, 21 Nov 2008 06:08:17 PST 

> We have changes for the OpenSolaris CIFS client that
> implement SMB  
> "signing".  For an Overview of SMB signing, see:
> http://support.microsoft.com/kb/887429

You really should also put this on security-discuss.  In fact, I think I'll do 
that now!

Security-discuss folks, please follow this link:

    http://www.opensolaris.org/jive/thread.jspa?threadID=83064

to see the original post.

<mucho snippage deleted...>

> 9: What signing policy options should our CIFS client
> offer?
> 
> The initial proposal was to add one option named
> "signing" with the  
> values:
> disabled: don't use SMB signatures unless the
>  server requires them.
> enabled: use SMB signatures if the server supports
>  them.
> required: use SMB signatures.  If the server
>  doesn't support them,  
> ive up.
> 
> One question raised was:  "Why have this option at
> all?"  That's a  
> good question.  One could do without this option.
>  For example, the  
> pple/Darwin CIFS client does not provide an option
> like this, and  
> always uses the policy "Sign if the server requires
> it".  The option  
> may be useful for diagnostic purposes, i.e. "Is this
> problem affected  
> by turning signing on or off?"  or perhaps for
> testing in a  
> transitional environment.

I don't object to having a knob so long as its default is very sensible.  Given 
what you said above, I think our default should be the the same as the 
Darwin/MacOS X one.

> 10: What should be the default value for the client
> signing options?

See above.

> 11: Who should be able to adjust the signing options?

<snip>

> It seems that the question of whether to allow the
> signing option in  
> per-user settings boils down to a judgement call:
>  Would it's benefit  
> utweigh it's cost?

In IPsec we have per-socket policy that even ordinary users can configure.  It 
does not allow users access to keying material or anything else sensitive.  We 
don't allow unprivileged users to disable IPsec if it's enabled globally, but 
we can let them "downshift" the protection.  You may wish to have a similar 
relationship between system-default and per-user policy on the signing option.  
Rob already mentions this as a solution for you.

I won't even begin to discuss the merits of how secure CIFS signing may or may 
not be, but given the deployment environment out there, I think you're 
approaching this the right way.

Dan
-- 
This message posted from opensolaris.org

Reply via email to