encryption on network
dominic.dougherty at protegrity.com
Thu Jul 28 22:04:51 MDT 2011
One more option
Otfe with samba, but in this case you would need otfe on the client
From: Christopher R. Hertel [crh at ubiqx.mn.org]
Received: Thursday, 28 Jul 2011, 10:34pm
To: Dominic Dougherty [dominic.dougherty at protegrity.com]
CC: Steve French [smfrench at gmail.com]; Jeremy Allison [jra at samba.org]; samba-technical at lists.samba.org [samba-technical at lists.samba.org]; linux-cifs at vger.kernel.org [linux-cifs at vger.kernel.org]
Subject: Re: encryption on network
On 07/28/2011 09:11 PM, Dominic Dougherty wrote:
> Thanks guys,
> I know this is a interesting one and more than one way to solve it.
> 1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.
I actually prefer OpenVPN, since it runs well on so many platforms, but it's
important to go with whichever technology you are most comfortable running.
> 2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient. Not support by the "net use" command.
This, as Jeremy so rightly pointed out, is based on the Unix extensions to SMB.
I whined earlier that there is no specification for this feature, but we
spent almost twenty years without a real specification for SMB itself. Even
now, the [MS-SMB] and [MS-CIFS] docs from Microsoft are written to reflect
Windows behavior. That is, the spec. has to match the product, not the
other way 'round.
> 3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
> 4.) configure ipsec on the windows network
These are really just alternative ways of setting up a VPN.
> 5.) use webdav on apache with https
That would move you away from the SMB protocol entirely.
> 6.) using stunnel and Microsoft loopback adapter encrypt traffic.
Same as 1, 3, and 4.
> I was hoping to get something working without installing anything extra on the client and which could be natively support by windows.
No such puppy.
> CIFS is supposed to support encryption, I would have to check up on that.
If you mean CIFS the Linux file system, then you are correct. It supports
the Unix extensions to SMB and so, therefore, should support encrypted SMB
traffic. There just hasn't been time to add that feature yet.
If you mean CIFS the alternative name for the SMB protocol, then no. I was
lead author of Microsoft's [MS-CIFS] and [MS-SMB] specifications so I am
quite sure about this. There's no encryption of file data in the
> -----Original Message-----
> From: Steve French [mailto:smfrench at gmail.com]
> Sent: Thursday, July 28, 2011 9:23 PM
> To: Christopher R. Hertel
> Cc: Jeremy Allison; Dominic Dougherty; samba-technical at lists.samba.org; linux-cifs at vger.kernel.org
> Subject: Re: encryption on network
> On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel<crh at ubiqx.mn.org> wrote:
>> Jeremy Allison wrote:
>>>> Right, but the question particularly listed WinXP as one of the
>>>> participating clients. Windows clients don't support the Unix extensions,
>>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>>> eh? [sad face]
>>> Yes I realize that. But that's not what you said. You said:
>>> "The SMB protocol does not provide any mechanism for encrypting traffic
>>> between clients and servers." - but that's not generically true,
>>> only between *Microsoft* clients and servers.
>> Well... technically the SMB protocol (as it exists today) is defined by the
>> Microsoft specifications, and they don't include any support for encryption.
>> There is, unfortunately, no "official" specification of the Unix extensions
>> for SMB (only an old draft that doesn't include encryption, IIRC). Also, as
>> their name suggests, they're extensions to the protocol which means that
>> they're not part of the protocol itself.
>>> You made it sound like that was definitive, and you are the
>>> acknowledged authority on CIFS/SMB, so I couldn't let that
>>> stand. People link to your posts here :-).
>> Absolutely right to set the record straight. I should have added the caveat
>> that the Unix extensions include support for encryption.
>>>> Please allow me to join the choir on that. (I'll sit at the back and not
>>>> get in anyone's way.) [winky face]
>>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>>> us.. :-).
>> Don't forget to click your heels together and burn the tana leaves when the
>> moon is full over Vermont. ;)
> I haven't forgotten ... just queued up behind reviewing ~10 other patches.
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/ -)----- Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/ -)----- ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/ -)----- crh at ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/ -)----- crh at ubiqx.org
More information about the samba-technical