Feature #14097
open
time to disable SMB1 by default
0%
Description
Much of the world have moved on past SMB1, so much so that servers that have SMB1 enabled are reported by security scanners as "insecure".
While our SMB1 is not and has never been vulnerable to the defects referred to by those security scanners, most of us supporting this code have grown tired of explaining that to the people who pay for and trust the results of these so called security scans. Let's go ahead and make SMB1 disabled by default. Those who need it can turn it back on.
Import this fix from github/Nexenta
commit a9c06f166c65c0c47fd27fe5af14f0cde43f4f6d
Author: Gordon Ross <gwr@nexenta.com>
Date: Mon Jul 1 16:00:34 2019 -0400
NEX-20541 time to disable SMB1 by default (redo)
Reviewed by: Rick McNeal <rick.mcneal@nexenta.com>
Reviewed by: Sanjay Nadkarni <sanjay.nadkarni@nexenta.com>
Reviewed by: Matt Barden <matt.barden@nexenta.com>
Reviewed by: Yuri Pankov <yuri.pankov@nexenta.com>
2 2 usr/src/cmd/smbsrv/smbd/server.xml
9 6 usr/src/lib/smbsrv/libsmb/common/smb_cfg.c
Related issues
Updated by Dan McDonald 8 months ago
Please make sure a heads-up goes out when this commits. I know some home users enable SMB1 so their "smart" printer/scanner can send scans to the "network drive".
Updated by
Updated by Gordon Ross 4 months ago
Perhaps we can also enable IPv6 at the same time. Currently the default is: ipv6_enable=false
I think that default may have been a concession to SMB1 and/or NetBIOS (though I don't remember).
Updated by Gordon Ross 4 months ago
- Related to Bug #13877: SMB server should enable IPv6 by default added