smb signatures - per tcp session or per smb session sequence numbers?

[Michael B Allen]

On Wed, 23 Feb 2005 19:50:40 +1100
Andrew Bartlett <abartlet at samba.org> wrote:

> > When two different user smb session (smb_uids) are multiplexed over one
> > tcp session from a single client to a single server - signing does not
> > appear to work on the first request for what will be the second uid ie
> > the 2nd SessionSetup request (at least from the Linux client).
> > 
> > There seems to be evidence that the sequence number used for signing is
> > global to the tcp session (not to the smb uid - smb session as I had
> > implemented).
> 
> Correct.  This of course implies that the security of the whole session
> is as good or bad as the *first* password to pass over it.

Actually if you end up LoggedInAsGuest I don't think the signing digest is
installed. So the first non-guest and non-null authentication establishes
the digest that is used for all subsequent communication.

As a side note I have observed that NT 4 (at least and I believe later
versions of Windows) do not check the signatures of session setups. The
jCIFS NTLM HTTP Authentication Filter can operate without a proper
digest installed even though the server requires signatures. Any other
types of messages fail (e.g. logoffs). I don't know why this is but I
suspect the server code just treats sessionsetups differently because
they establish the mac key and that code path is exercised even after
the digest is established. I don't know if this is true of NTLMv2 or
Kerberos signatures.

Mike

-- 
IRC - where men are men, women are men, and the boys are FBI agents.