[Samba] Is 'sec=ntlmsspi' with 'seal' secure over an untrusted network?
Erik Schulz
erikschulz184 at gmail.com
Wed Sep 6 21:26:57 UTC 2023
Interesting.
Well, this is a sample password: zum5kZrW4EgJJRk9
which I guess is a reasonably strong password?
Is the problem mainly impersonation, not breaking the encryption?
And that the impersonation relies on relatively easy bruteforce, but that
this becomes reasonably infeasible with a strong password?
The risk is fairly low: intra-datacenter traffic.
But I was curious about the worst-case, i.e. internet traffic.
On Wed, Sep 6, 2023 at 10:57 PM Andrew Bartlett <abartlet at samba.org> wrote:
> On Wed, 2023-09-06 at 16:25 +0200, Erik Schulz via samba wrote:
>
> Hello,
>
>
> I'm using a cloud provider's storage solution, which only works with SMB,
>
> with username/password. I assume the best configuration with 'sec=ntlmsspi'
>
> and 'seal'.
>
>
> But is this secure over an untrusted network? (i.e. to satisfy a strict
>
> security audit)
>
>
> Microsoft states that "NTLMv2 is a little better, since it variable length
>
> and salted hash, but not that much better" (than NTLMv1).
>
> There's this article that talks about cracking NTLMSSP:
>
> https://www.mike-gualtieri.com/posts/live-off-the-land-and-crack-the-ntlmssp-protocol
>
>
>
> I'm wondering if NTLMSSPI avoids these issues?
>
> Or whether `seal` encrypts the connection, avoiding leaking any information
>
> in the first place? ("The encryption algorithm used is AES-128-CCM"). Or
>
> whether the encrypted connection is established later.
>
>
> The encryption is established after the NTLM completes. Strong passwords
> may make this an acceptable choice.
>
> Kerberos is similar, actually, if you can get to the client/KDC exchange
> then a weak user password can be brute forced.
>
> This is why Samba 4.19 is significant, as we can claim to be Windows 2012
> and have Windows clients use 'Kerberos Armoring' aka 'FAST' (if you set up
> the Group Polciies), but this is regarding the AD DC, not your situation.
>
>
> Andrew Bartlett
>
>
> --
>
> Andrew Bartlett (he/him) https://samba.org/~abartlet/
> Samba Team Member (since 2001) https://samba.org
> Samba Team Lead https://catalyst.net.nz/services/samba
> Catalyst.Net Ltd
>
> Proudly developing Samba for Catalyst.Net Ltd - a Catalyst IT group company
>
> Samba Development and Support: https://catalyst.net.nz/services/samba
>
> Catalyst IT - Expert Open Source Solutions
>
More information about the samba
mailing list