[Samba] Is 'sec=ntlmsspi' with 'seal' secure over an untrusted network?
Jeremy Allison
jra at samba.org
Wed Sep 6 16:18:11 UTC 2023
On Wed, Sep 06, 2023 at 04:25:42PM +0200, Erik Schulz via samba wrote:
>Hello,
>
>I'm using a cloud provider's storage solution, which only works with SMB,
>with username/password. I assume the best configuration with 'sec=ntlmsspi'
>and 'seal'.
>
>But is this secure over an untrusted network? (i.e. to satisfy a strict
>security audit)
No, almost certainly not. They will need to provide krb5
auth to pass a strict security audit IMHO.
>Microsoft states that "NTLMv2 is a little better, since it variable length
>and salted hash, but not that much better" (than NTLMv1).
>There's this article that talks about cracking NTLMSSP:
>https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol
>
>I'm wondering if NTLMSSPI avoids these issues?
No.
>Or whether `seal` encrypts the connection, avoiding leaking any information
>in the first place? ("The encryption algorithm used is AES-128-CCM"). Or
>whether the encrypted connection is established later.
The encrypted connection is established after the NTLM auth,
as that is what sets up the session key.
More information about the samba
mailing list