values for "client signing" and "server signing"

Andrew Bartlett abartlet at samba.org
Wed Nov 2 23:51:58 MDT 2011 

On Wed, 2011-11-02 at 21:38 +0100, Stefan (metze) Metzmacher wrote:
> Hi Andrew,
> 
> >> Then remove SMB_SIGNING_AUTO and map "auto" to SMB_SIGNING_SUPPORTED.
> >> Then we could have a new "desired", "if_required" that maps to
> >> SMB_SIGNING_DESIRED
> >> and lets the client use signing if the server supports it.
> > 
> > I don't see the value in the desired setting, due to historical
> > behaviours of Windows clients and servers.  It seems to me that SMB
> > signing is only ever enabled on DCs, and there it is required.  I say
> > this because what is the value of negotiated SMB signing, when the
> > negotiation is subject to MITM attacks.  If SMB signing had been in the
> > protocols early enough, we could have required that session setup
> > packets be signed, and so had a sensible way to turn this off safely for
> > bulk data.  However, we don't, and as I understand it even SMB2 didn't
> > do this properly.
> > 
> > The choice of what options to present to the client depends on if we
> > wish to give users maximum choice, or just the options they can actually
> > use to improve network security:
> > 
> > Therefore, for the client, I see three settings:
> >  - disabled
> >  - default (use if available or required eg by the DC), matches windows
> > default as I recall
> >  - required (paranoid, for specialist environments)
> > 
> > On the server I see three settings:
> >  - disabled
> >  - default (off for normal servers, required for the DC)
> >  - required
> > 
> > The additional option of 'supported' (available but not required) on the
> > server are possible as well, but it would only be helpful for testing,
> > it would not improve network security because a MITM can just disable
> > it.  
> > 
> > On the client, I guess we can have the option of 'only if required' but
> > would anyone use it, given no servers set 'supported' due to the
> > performance cost?
> > 
> > The only other detail is to ensure that in our DC client code (eg
> > winbindd) we should ensure we require smb signing, to protect that
> > communication from alteration. 
> > 
> > I do appreciate you sorting out the options here, it is important to get
> > this in common, both for your work in the client libs, and for the work
> > towards a common loadparm.  I trust your judgement in working it out
> > from here.
> 
> I've prepared a branch with the changes, it doesn't pass make test yet,
> but I hope you get the idea. (I'll later add SMB_SIGNING_IF_SUPPORTED).
> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master3-signing

Wow, that is a big patch stream.

I've looked over the approach (and each patch, but not in detail), and
it seems to be exactly the right idea.  Thanks for using the
SMB_SIGNING_ prefix as the long-term name of the constants. 

The final stage will be to share the enumeration in the loadparm libs.
I'll try to prepare a demo of that for 'security=' to show you how to do
it. 

> If that's done I'll be very close bringing my smb2 client library
> changes to master
> http://gitweb.samba.org/?p=metze/samba/wip.git;a=shortlog;h=refs/heads/master4-smb2

I had a harder time making sense of this branch, but I'll take it on
trust that it's a good thing.  Let me know if there is anything more I
can do to help.

Andrew Bartlett

-- 
Andrew Bartlett                                http://samba.org/~abartlet/
Authentication Developer, Samba Team           http://samba.org

More information about the samba-technical mailing list