L&LD
Part of the Furniture
Microsoft enters “final phase” of disabling SMB1 file-sharing in Windows 11 | Ars Technica
SMB1 fully disabled? Not yet, not for everyone, but 'soon'.
SMB1 fully disabled? Not yet, not for everyone, but 'soon'.
SMB1 going the way of the dodo.
- Thread starter L&LD
- Start date
johndoe85
Senior Member
While they are at it they can add NFS support for windows home
sfx2000
Part of the Furniture
SMB1 has been going away for a long time - it's not installed by default on many Win10 installations, and while it can be added...
I think the takeaway here is that legacy SMB1 is not likely going to be fixed at large if a major security issue pops up. It'll make things rough for embedded since it's pretty well known that Samba 4 is painfully large in size once all it's dependencies are included.
There's always ksmbd, which is an in kernel CIFS server supporting SMB3, but not sure how much effort it would be to remove legacy Samba, and replace it...
github.com
I think the takeaway here is that legacy SMB1 is not likely going to be fixed at large if a major security issue pops up. It'll make things rough for embedded since it's pretty well known that Samba 4 is painfully large in size once all it's dependencies are included.
There's always ksmbd, which is an in kernel CIFS server supporting SMB3, but not sure how much effort it would be to remove legacy Samba, and replace it...
GitHub - namjaejeon/ksmbd: ksmbd kernel server(SMB/CIFS server)
ksmbd kernel server(SMB/CIFS server). Contribute to namjaejeon/ksmbd development by creating an account on GitHub.
github.com
RMerlin
Asuswrt-Merlin dev
I was discussing ksmbd with an engineer a few years ago. He didn't like the idea of having such a complex piece of code with direct end-user fronting services running within the kernel space. That could make any security issue REALLY bad.
sfx2000
Part of the Furniture
As it is in Windows, as windows does SMB in the kernel there - so does MacOS with their implementation, count Solaris and FreeBSD in that club as well
RMerlin
Asuswrt-Merlin dev
Just because others (with totally different architectures) do doesn`t make it any more safer. Maybe once ksmbd has 4-5 more years of maturity behind it and they aren`t still working on adding missing features to it (which means it`s currently more in active development than in a mature maintenance mode, so more likely to introduce new security issues), then it might be considered as secure as a userspace implementation. But it hasn`t reached that point yet:
sfx2000
Part of the Furniture
A security issue is a security issue, whether it's in the kernel or in userland - ksmbd is no more or less a concern than any other service inside embedded Linux...
Consider wireguard - it's also in kernel space, but nobody seems to be terribly concerned there.
Running a file server inside one's bastion router/firewall make little sense in any case, but the Vendors have made this a checkbox feature (USB disk sharing) - now we're at a point where either it needs to be removed, or folks have to suck it up and implement Samba 4 - which for many devices is a non-starter due to the amount of ram and flash needed, along with dependencies outside of the libs provided by the SoC vendor board support packages.
I was just suggesting that there are other options other than Samba 4.
Consider wireguard - it's also in kernel space, but nobody seems to be terribly concerned there.
Running a file server inside one's bastion router/firewall make little sense in any case, but the Vendors have made this a checkbox feature (USB disk sharing) - now we're at a point where either it needs to be removed, or folks have to suck it up and implement Samba 4 - which for many devices is a non-starter due to the amount of ram and flash needed, along with dependencies outside of the libs provided by the SoC vendor board support packages.
I was just suggesting that there are other options other than Samba 4.
RMerlin
Asuswrt-Merlin dev
Most modern routers support SMB 2.0. Deprecating SMB1 has no impact on these.
If your router is so old that it only supports SMB 1 (or its manufacturer doesn't care enough to update their 15 years old Samba 3.025 to 3.6.x, which only takes a bit more flash space once you trim it down with the OpenWRT patches), then time to stop using that router's USB sharing.
I'm not saying Samba is the best solution. I've been saying for years that embedded devices are in need for a slimmer alternative that doesn't try to replace a whole AD. I'm just saying that this engineer felt that shifting all of this into kernel space wasn't the best decision ever, and he did have a point there. SMB is far more complex than Wireguard, and therefore more likely to experience major security issues. It greatly increases the attack surface. And a security issue at the kernel level is generally far more critical than with an application within userspace that is probably not running as root anyway.
I've stopped using Samba v1 ever since the wannacry exploit was announced.
But what is the current state with higher versions?
By default, Asuswrt routers support SMB v1 & v2, so I just switch to v2 only. Is that reasonable for a home LAN? If any computer on the LAN gets infected, it compromises the entire subnet.
Is SMB v2 the only option we have with the Merlin firmware and is it good enough? Asking for general recommendation here for convenient share to Windows 10 machines.
But what is the current state with higher versions?
By default, Asuswrt routers support SMB v1 & v2, so I just switch to v2 only. Is that reasonable for a home LAN? If any computer on the LAN gets infected, it compromises the entire subnet.
Is SMB v2 the only option we have with the Merlin firmware and is it good enough? Asking for general recommendation here for convenient share to Windows 10 machines.
Similar threads
Latest threads
-
-
-
-
-
ASUSwrt DNSMASQ service can't be restarted
- Started by pseu_asus
- Replies: 1
Sign Up For SNBForums Daily Digest
Get an update of what's new every day delivered to your mailbox. Sign up here!