smb signatures - per tcp session or per smb session sequence
Michael B Allen
mba2000 at ioplex.com
Wed Feb 23 09:54:44 GMT 2005
On Wed, 23 Feb 2005 19:50:40 +1100
Andrew Bartlett <abartlet at samba.org> wrote:
> > When two different user smb session (smb_uids) are multiplexed over one
> > tcp session from a single client to a single server - signing does not
> > appear to work on the first request for what will be the second uid ie
> > the 2nd SessionSetup request (at least from the Linux client).
> > There seems to be evidence that the sequence number used for signing is
> > global to the tcp session (not to the smb uid - smb session as I had
> > implemented).
> Correct. This of course implies that the security of the whole session
> is as good or bad as the *first* password to pass over it.
Actually if you end up LoggedInAsGuest I don't think the signing digest is
installed. So the first non-guest and non-null authentication establishes
the digest that is used for all subsequent communication.
As a side note I have observed that NT 4 (at least and I believe later
versions of Windows) do not check the signatures of session setups. The
jCIFS NTLM HTTP Authentication Filter can operate without a proper
digest installed even though the server requires signatures. Any other
types of messages fail (e.g. logoffs). I don't know why this is but I
suspect the server code just treats sessionsetups differently because
they establish the mac key and that code path is exercised even after
the digest is established. I don't know if this is true of NTLMv2 or
IRC - where men are men, women are men, and the boys are FBI agents.
More information about the samba-technical