Removal or updating of "mount_smbfs" from FreeBSD operating system

classic Classic list List threaded Threaded
10 messages Options
Reply | Threaded
Open this post in threaded view
|

Removal or updating of "mount_smbfs" from FreeBSD operating system

Gerard Seibert-2
TO WHOM IT MAY CONCERN

The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
2014. There is virtually no use for it anymore.

The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
in making it useless with newer versions of Microsoft’s operating systems, as
well as other OS’s that have depreciated the use of SMBv1.

I would like to suggest that FreeBSD do one of the following:

1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
or 13. It is perhaps too late to get into FreeBSD 12.

2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
better idea if someone had the time to do it.

Thank you for taking the time to read this suggestion.

--
Gerard E. Seibert
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Miroslav Lachman
Gerard Seibert wrote on 2018/11/26 18:19:

> TO WHOM IT MAY CONCERN
>
> The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
> 2014. There is virtually no use for it anymore.
>
> The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
> in making it useless with newer versions of Microsoft’s operating systems, as
> well as other OS’s that have depreciated the use of SMBv1.
>
> I would like to suggest that FreeBSD do one of the following:
>
> 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
> or 13. It is perhaps too late to get into FreeBSD 12.
>
> 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
> better idea if someone had the time to do it.
>
> Thank you for taking the time to read this suggestion.

Is there any working (production ready) alternative in ports tree?
We are in heterogenous environment and some of our servers have more
than 10 SMB shares mounted by mount_smbfs.

Kind regards
Miroslav Lachman

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

yuripv
In reply to this post by Gerard Seibert-2
Gerard Seibert wrote:

> TO WHOM IT MAY CONCERN
>
> The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
> 2014. There is virtually no use for it anymore.
>
> The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
> in making it useless with newer versions of Microsoft’s operating systems, as
> well as other OS’s that have depreciated the use of SMBv1.
>
> I would like to suggest that FreeBSD do one of the following:
>
> 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
> or 13. It is perhaps too late to get into FreeBSD 12.
I don't think this is reasonable, more so in a hurry, as this is a
client, and doesn't impose any security issues.

> 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
> better idea if someone had the time to do it.

There's an entry in https://wiki.freebsd.org/DevSummit/201810:

----------------------------------------------------------------------
updated mount SMBFS smbv3 support (iXsystems)
----------------------------------------------------------------------

I wonder if we could get a bit more information on this -- is this just
a plan, or is it being actively worked on/ready for integration?


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Baptiste Daroussin-2
In reply to this post by Miroslav Lachman
On Mon, Nov 26, 2018 at 06:57:32PM +0100, Miroslav Lachman wrote:

> Gerard Seibert wrote on 2018/11/26 18:19:
> > TO WHOM IT MAY CONCERN
> >
> > The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
> > 2014. There is virtually no use for it anymore.
> >
> > The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
> > in making it useless with newer versions of Microsoft’s operating systems, as
> > well as other OS’s that have depreciated the use of SMBv1.
> >
> > I would like to suggest that FreeBSD do one of the following:
> >
> > 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
> > or 13. It is perhaps too late to get into FreeBSD 12.
> >
> > 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
> > greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
> > better idea if someone had the time to do it.
> >
> > Thank you for taking the time to read this suggestion.
>
> Is there any working (production ready) alternative in ports tree?
> We are in heterogenous environment and some of our servers have more than 10
> SMB shares mounted by mount_smbfs.
>
There are some fuse based alternative yes: fusefs-smbnetfs

Best regards,
Bapt

signature.asc (849 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Kris Moore-2
In reply to this post by yuripv
On 11/26/18 1:09 PM, Yuri Pankov wrote:

> Gerard Seibert wrote:
>> TO WHOM IT MAY CONCERN
>>
>> The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
>> 2014. There is virtually no use for it anymore.
>>
>> The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
>> in making it useless with newer versions of Microsoft’s operating systems, as
>> well as other OS’s that have depreciated the use of SMBv1.
>>
>> I would like to suggest that FreeBSD do one of the following:
>>
>> 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
>> or 13. It is perhaps too late to get into FreeBSD 12.
> I don't think this is reasonable, more so in a hurry, as this is a
> client, and doesn't impose any security issues.
>
>> 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
>> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
>> better idea if someone had the time to do it.
> There's an entry in https://wiki.freebsd.org/DevSummit/201810:
>
> ----------------------------------------------------------------------
> updated mount SMBFS smbv3 support (iXsystems)
> ----------------------------------------------------------------------
>
> I wonder if we could get a bit more information on this -- is this just
> a plan, or is it being actively worked on/ready for integration?
>

We were discussing it at the time, but as of now it's not actively being
worked on from the iX side.

--
Kris Moore
Vice President of Engineering
iXsystems, Inc
Ph: (408) 943-4100
Ph: (408) 943-4101
The Groundbreaking TrueNAS M-Series -
Enterprise Storage & Servers Driven By Open Source

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Edward Napierala
In reply to this post by Gerard Seibert-2
pon., 26 lis 2018 o 17:20 Gerard Seibert <[hidden email]> napisał(a):

>
> TO WHOM IT MAY CONCERN
>
> The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
> 2014. There is virtually no use for it anymore.
>
> The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
> in making it useless with newer versions of Microsoft’s operating systems, as
> well as other OS’s that have depreciated the use of SMBv1.
>
> I would like to suggest that FreeBSD do one of the following:
>
> 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
> or 13. It is perhaps too late to get into FreeBSD 12.
>
> 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
> better idea if someone had the time to do it.

FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
not an entirely different protocol, like SMBv1 is.  Which means, any version
that supports v3 is likely to also handle v2.

There seems to be existing, working code in Nexenta, which is being
upstreamed to Illumos:

https://www.illumos.org/issues/9735
https://github.com/illumos/illumos-gate/pull/37

Their implementation descends from the one we have in base (and the one
from OSX, which also descends from FreeBSD), so it should be possible to
merge it.
_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

yuripv
Edward Napierala wrote:

> pon., 26 lis 2018 o 17:20 Gerard Seibert <[hidden email]> napisał(a):
>>
>> TO WHOM IT MAY CONCERN
>>
>> The “SMBv1” protocol is a security hazard and was depreciated by Microsoft in
>> 2014. There is virtually no use for it anymore.
>>
>> The “mount_smbfs” utility in FreeBSD only uses that protocol, which results
>> in making it useless with newer versions of Microsoft’s operating systems, as
>> well as other OS’s that have depreciated the use of SMBv1.
>>
>> I would like to suggest that FreeBSD do one of the following:
>>
>> 1) Remove “mount_smbfs” from FreeBSD. This would probably be in versions 12.1
>> or 13. It is perhaps too late to get into FreeBSD 12.
>>
>> 2) Update “mount_smbfs” so that it is compatible with versions SMBv3 and
>> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
>> better idea if someone had the time to do it.
>
> FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
> not an entirely different protocol, like SMBv1 is.  Which means, any version
> that supports v3 is likely to also handle v2.
>
> There seems to be existing, working code in Nexenta, which is being
> upstreamed to Illumos:
>
> https://www.illumos.org/issues/9735
> https://github.com/illumos/illumos-gate/pull/37
>
> Their implementation descends from the one we have in base (and the one
> from OSX, which also descends from FreeBSD), so it should be possible to
> merge it.
Yes, we have it working and tested pretty well.  And that's exactly the
reason I was asking if there's work in progress for smb2/3 client or not
before even starting looking into porting the code.

The problem here is that the code has grown library dependencies which
are CDDL-licensed, which aren't easy to break (if at all), so if ported,
it will be covered by WITHOUT_CDDL; hopefully that's acceptable.  It's
possible that Nexenta-authored code could be relicensed under BSDL (I'll
have to ask, we already have a precedent with localedef), but sadly that
doesn't cover everything.


signature.asc (499 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Brooks Davis-2
On Tue, Nov 27, 2018 at 07:55:54PM +0300, Yuri Pankov wrote:

> Edward Napierala wrote:
> > pon., 26 lis 2018 o 17:20 Gerard Seibert <[hidden email]> napisa??(a):
> >>
> >> TO WHOM IT MAY CONCERN
> >>
> >> The ???SMBv1??? protocol is a security hazard and was depreciated by Microsoft in
> >> 2014. There is virtually no use for it anymore.
> >>
> >> The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which results
> >> in making it useless with newer versions of Microsoft???s operating systems, as
> >> well as other OS???s that have depreciated the use of SMBv1.
> >>
> >> I would like to suggest that FreeBSD do one of the following:
> >>
> >> 1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in versions 12.1
> >> or 13. It is perhaps too late to get into FreeBSD 12.
> >>
> >> 2) Update ???mount_smbfs??? so that it is compatible with versions SMBv3 and
> >> greater. While "SMBv2" is not dead, it is definitely comatose. This would be a
> >> better idea if someone had the time to do it.
> >
> > FWIW, I believe SMBv3 is just a set of (largely optional) extensions to SMBv2,
> > not an entirely different protocol, like SMBv1 is.  Which means, any version
> > that supports v3 is likely to also handle v2.
> >
> > There seems to be existing, working code in Nexenta, which is being
> > upstreamed to Illumos:
> >
> > https://www.illumos.org/issues/9735
> > https://github.com/illumos/illumos-gate/pull/37
> >
> > Their implementation descends from the one we have in base (and the one
> > from OSX, which also descends from FreeBSD), so it should be possible to
> > merge it.
>
> Yes, we have it working and tested pretty well.  And that's exactly the
> reason I was asking if there's work in progress for smb2/3 client or not
> before even starting looking into porting the code.
>
> The problem here is that the code has grown library dependencies which
> are CDDL-licensed, which aren't easy to break (if at all), so if ported,
> it will be covered by WITHOUT_CDDL; hopefully that's acceptable.  It's
> possible that Nexenta-authored code could be relicensed under BSDL (I'll
> have to ask, we already have a precedent with localedef), but sadly that
> doesn't cover everything.
I think making this CDDL is fine.  Certaintly better than failing to
support SMBv2/v3.

-- Brooks

signature.asc (465 bytes) Download Attachment
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Gerard Seibert-2
On Tue, 27 Nov 2018 17:14:59 +0000, Brooks Davis stated:

>On Tue, Nov 27, 2018 at 07:55:54PM +0300, Yuri Pankov wrote:
>> Edward Napierala wrote:  
>> > pon., 26 lis 2018 o 17:20 Gerard Seibert <[hidden email]>
>> > napisa??(a):  
>> >>
>> >> TO WHOM IT MAY CONCERN
>> >>
>> >> The ???SMBv1??? protocol is a security hazard and was depreciated by
>> >> Microsoft in 2014. There is virtually no use for it anymore.
>> >>
>> >> The ???mount_smbfs??? utility in FreeBSD only uses that protocol, which
>> >> results in making it useless with newer versions of Microsoft???s
>> >> operating systems, as well as other OS???s that have depreciated the
>> >> use of SMBv1.
>> >>
>> >> I would like to suggest that FreeBSD do one of the following:
>> >>
>> >> 1) Remove ???mount_smbfs??? from FreeBSD. This would probably be in
>> >> versions 12.1 or 13. It is perhaps too late to get into FreeBSD 12.
>> >>
>> >> 2) Update ???mount_smbfs??? so that it is compatible with versions
>> >> SMBv3 and greater. While "SMBv2" is not dead, it is definitely
>> >> comatose. This would be a better idea if someone had the time to do
>> >> it.  
>> >
>> > FWIW, I believe SMBv3 is just a set of (largely optional) extensions to
>> > SMBv2, not an entirely different protocol, like SMBv1 is.  Which means,
>> > any version that supports v3 is likely to also handle v2.
>> >
>> > There seems to be existing, working code in Nexenta, which is being
>> > upstreamed to Illumos:
>> >
>> > https://www.illumos.org/issues/9735
>> > https://github.com/illumos/illumos-gate/pull/37
>> >
>> > Their implementation descends from the one we have in base (and the one
>> > from OSX, which also descends from FreeBSD), so it should be possible to
>> > merge it.  
>>
>> Yes, we have it working and tested pretty well.  And that's exactly the
>> reason I was asking if there's work in progress for smb2/3 client or not
>> before even starting looking into porting the code.
>>
>> The problem here is that the code has grown library dependencies which
>> are CDDL-licensed, which aren't easy to break (if at all), so if ported,
>> it will be covered by WITHOUT_CDDL; hopefully that's acceptable.  It's
>> possible that Nexenta-authored code could be relicensed under BSDL (I'll
>> have to ask, we already have a precedent with localedef), but sadly that
>> doesn't cover everything.  
>
>I think making this CDDL is fine.  Certaintly better than failing to
>support SMBv2/v3.
>
>-- Brooks

SEE: https://en.wikipedia.org/wiki/Server_Message_Block#SMB_3.1.1

Particularly the section dealing with SMBv3.11. That is now the default in
Win 10. It makes no sense to not support the latest version available. In
fact, it would be counter-productive.

SMB 3.1.1 was introduced with Windows 10 and Windows Server 2016. This
version supports AES 128 GCM encryption in addition to AES 128 CCM encryption
added in SMB3, and implements pre-authentication integrity check using
SHA-512 hash. SMB 3.1.1 also makes secure negotiation mandatory when
connecting to clients using SMB 2.x and higher.


--
Gerard

_______________________________________________
[hidden email] mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-arch
To unsubscribe, send any mail to "[hidden email]"
Reply | Threaded
Open this post in threaded view
|

Re: Removal or updating of "mount_smbfs" from FreeBSD operating system

Andrey V. Elsukov
In reply to this post by yuripv
On 27.11.2018 19:55, Yuri Pankov wrote:

>> There seems to be existing, working code in Nexenta, which is being
>> upstreamed to Illumos:
>>
>> https://www.illumos.org/issues/9735
>> https://github.com/illumos/illumos-gate/pull/37
>>
>> Their implementation descends from the one we have in base (and the one
>> from OSX, which also descends from FreeBSD), so it should be possible to
>> merge it.
>
> Yes, we have it working and tested pretty well.  And that's exactly the
> reason I was asking if there's work in progress for smb2/3 client or not
> before even starting looking into porting the code.
>
> The problem here is that the code has grown library dependencies which
> are CDDL-licensed, which aren't easy to break (if at all), so if ported,
> it will be covered by WITHOUT_CDDL; hopefully that's acceptable.  It's
> possible that Nexenta-authored code could be relicensed under BSDL (I'll
> have to ask, we already have a precedent with localedef), but sadly that
> doesn't cover everything.
Apple's implementation is looks like based on the same source as our
one. It looks like dual licensed APSL/BSDL but the size of the SMB/CIFS
code has significantly increased and porting doesn't look like an easy
task. But probably some code can be used...

https://opensource.apple.com/tarballs/smb/

--
WBR, Andrey V. Elsukov


signature.asc (566 bytes) Download Attachment