Re: encryption on network

Re: encryption on network

[Jeremy Allison]

On Thu, Jul 28, 2011 at 05:59:41PM -0500, Christopher R. Hertel wrote:
> The network traffic is not encrypted.
> 
> The SMB protocol does not provide any mechanism for encrypting traffic
> between clients and servers.

As shipped by Microsoft :-). The UNIX extensions to SMB allow
encrypted traffic between clients and servers and Samba has
supported this for a long time (smbclient -e will encrypt
traffic).

> The only good way to ensure that the traffic
> is encrypted is to create a VPN and ensure that SMB traffic is always
> contained within the VPN.

Or use Samba smbclient to a smbd server :-). Of course, we
really need this in the Linux CIFS client.

Steve French - where's my encrypted transport code !!! (your
monthly ping on this :-).

Jeremy.

Re: encryption on network

[Christopher R. Hertel]

Jeremy Allison wrote:
> On Thu, Jul 28, 2011 at 05:59:41PM -0500, Christopher R. Hertel wrote:
>> The network traffic is not encrypted.
>>
>> The SMB protocol does not provide any mechanism for encrypting traffic
>> between clients and servers.
> 
> As shipped by Microsoft :-). The UNIX extensions to SMB allow
> encrypted traffic between clients and servers and Samba has
> supported this for a long time (smbclient -e will encrypt
> traffic).

Right, but the question particularly listed WinXP as one of the
participating clients.  Windows clients don't support the Unix extensions,
so they don't support encrypted SMB and that kinda ruins the whole thing,
eh?  [sad face]

>> The only good way to ensure that the traffic
>> is encrypted is to create a VPN and ensure that SMB traffic is always
>> contained within the VPN.
> 
> Or use Samba smbclient to a smbd server :-). Of course, we
> really need this in the Linux CIFS client.

...and that's the other piece.  Smbclient is a very useful tool, but not
what you want to use if you are trying to mount a file system.

> Steve French - where's my encrypted transport code !!! (your
> monthly ping on this :-).

Please allow me to join the choir on that.  (I'll sit at the back and not
get in anyone's way.)  [winky face]

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh@ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh@ubiqx.org

Re: encryption on network

[Jeremy Allison]

On Thu, Jul 28, 2011 at 07:08:04PM -0500, Christopher R. Hertel wrote:
> Jeremy Allison wrote:
> > On Thu, Jul 28, 2011 at 05:59:41PM -0500, Christopher R. Hertel wrote:
> >> The network traffic is not encrypted.
> >>
> >> The SMB protocol does not provide any mechanism for encrypting traffic
> >> between clients and servers.
> > 
> > As shipped by Microsoft :-). The UNIX extensions to SMB allow
> > encrypted traffic between clients and servers and Samba has
> > supported this for a long time (smbclient -e will encrypt
> > traffic).
> 
> Right, but the question particularly listed WinXP as one of the
> participating clients.  Windows clients don't support the Unix extensions,
> so they don't support encrypted SMB and that kinda ruins the whole thing,
> eh?  [sad face]

Yes I realize that. But that's not what you said. You said:
"The SMB protocol does not provide any mechanism for encrypting traffic
between clients and servers." - but that's not generically true,
only between *Microsoft* clients and servers.

You made it sound like that was definitive, and you are the
acknowledged authority on CIFS/SMB, so I couldn't let that
stand. People link to your posts here :-).

> Please allow me to join the choir on that.  (I'll sit at the back and not
> get in anyone's way.)  [winky face]

Maybe if we all wish REALLY HARD, Steve and Jeff will hear
us.. :-).

Jeremy.

Re: encryption on network

[Christopher R. Hertel]

Jeremy Allison wrote:
:
>> Right, but the question particularly listed WinXP as one of the
>> participating clients.  Windows clients don't support the Unix extensions,
>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>> eh?  [sad face]
> 
> Yes I realize that. But that's not what you said. You said:
> "The SMB protocol does not provide any mechanism for encrypting traffic
> between clients and servers." - but that's not generically true,
> only between *Microsoft* clients and servers.

Well... technically the SMB protocol (as it exists today) is defined by the
Microsoft specifications, and they don't include any support for encryption.

There is, unfortunately, no "official" specification of the Unix extensions
for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
their name suggests, they're extensions to the protocol which means that
they're not part of the protocol itself.

> You made it sound like that was definitive, and you are the
> acknowledged authority on CIFS/SMB, so I couldn't let that
> stand. People link to your posts here :-).

Absolutely right to set the record straight.  I should have added the caveat
that the Unix extensions include support for encryption.

>> Please allow me to join the choir on that.  (I'll sit at the back and not
>> get in anyone's way.)  [winky face]
> 
> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
> us.. :-).

Don't forget to click your heels together and burn the tana leaves when the
moon is full over Vermont.  ;)

Chris -)-----

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh@ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh@ubiqx.org

Re: encryption on network

[Steve French]

On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel <crh-jFlgvBokg3kpug/h7KTFAQ@public.gmane.orgg> wrote:
> Jeremy Allison wrote:
> :
>>> Right, but the question particularly listed WinXP as one of the
>>> participating clients.  Windows clients don't support the Unix extensions,
>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>> eh?  [sad face]
>>
>> Yes I realize that. But that's not what you said. You said:
>> "The SMB protocol does not provide any mechanism for encrypting traffic
>> between clients and servers." - but that's not generically true,
>> only between *Microsoft* clients and servers.
>
> Well... technically the SMB protocol (as it exists today) is defined by the
> Microsoft specifications, and they don't include any support for encryption.
>
> There is, unfortunately, no "official" specification of the Unix extensions
> for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
> their name suggests, they're extensions to the protocol which means that
> they're not part of the protocol itself.
>
>> You made it sound like that was definitive, and you are the
>> acknowledged authority on CIFS/SMB, so I couldn't let that
>> stand. People link to your posts here :-).
>
> Absolutely right to set the record straight.  I should have added the caveat
> that the Unix extensions include support for encryption.
>
>>> Please allow me to join the choir on that.  (I'll sit at the back and not
>>> get in anyone's way.)  [winky face]
>>
>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>> us.. :-).
>
> Don't forget to click your heels together and burn the tana leaves when the
> moon is full over Vermont.  ;)

I haven't forgotten ... just queued up behind reviewing ~10 other patches.


-- 
Thanks,

Steve

RE: encryption on network

[Dominic Dougherty]

Thanks guys,

I know this is a interesting one and more than one way to solve it. 

1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.
2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient.  Not support by the "net use" command.
3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
4.) configure ipsec on the windows network
5.) use webdav on apache with https
6.) using stunnel and Microsoft loopback adapter encrypt traffic.

I was hoping to get something working without installing anything extra on the client and which could be natively support by windows. 

CIFS is supposed to support encryption, I would have to check up on that. 


Dominic


-----Original Message-----
From: Steve French [mailto:smfrench@gmail.com] 
Sent: Thursday, July 28, 2011 9:23 PM
To: Christopher R. Hertel
Cc: Jeremy Allison; Dominic Dougherty; samba-technical@lists.samba.org; linux-cifs@vger.kernel.org
Subject: Re: encryption on network

On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel <crh@ubiqx.mn.org> wrote:
> Jeremy Allison wrote:
> :
>>> Right, but the question particularly listed WinXP as one of the
>>> participating clients.  Windows clients don't support the Unix extensions,
>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>> eh?  [sad face]
>>
>> Yes I realize that. But that's not what you said. You said:
>> "The SMB protocol does not provide any mechanism for encrypting traffic
>> between clients and servers." - but that's not generically true,
>> only between *Microsoft* clients and servers.
>
> Well... technically the SMB protocol (as it exists today) is defined by the
> Microsoft specifications, and they don't include any support for encryption.
>
> There is, unfortunately, no "official" specification of the Unix extensions
> for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
> their name suggests, they're extensions to the protocol which means that
> they're not part of the protocol itself.
>
>> You made it sound like that was definitive, and you are the
>> acknowledged authority on CIFS/SMB, so I couldn't let that
>> stand. People link to your posts here :-).
>
> Absolutely right to set the record straight.  I should have added the caveat
> that the Unix extensions include support for encryption.
>
>>> Please allow me to join the choir on that.  (I'll sit at the back and not
>>> get in anyone's way.)  [winky face]
>>
>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>> us.. :-).
>
> Don't forget to click your heels together and burn the tana leaves when the
> moon is full over Vermont.  ;)

I haven't forgotten ... just queued up behind reviewing ~10 other patches.


-- 
Thanks,

Steve

Re: encryption on network

[Christopher R. Hertel]

On 07/28/2011 09:11 PM, Dominic Dougherty wrote:
> Thanks guys,
>
> I know this is a interesting one and more than one way to solve it.
>
> 1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.

I actually prefer OpenVPN, since it runs well on so many platforms, but it's 
important to go with whichever technology you are most comfortable running.

> 2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient.  Not support by the "net use" command.

This, as Jeremy so rightly pointed out, is based on the Unix extensions to SMB.

I whined earlier that there is no specification for this feature, but we 
spent almost twenty years without a real specification for SMB itself.  Even 
now, the [MS-SMB] and [MS-CIFS] docs from Microsoft are written to reflect 
Windows behavior.  That is, the spec. has to match the product, not the 
other way 'round.

> 3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
> 4.) configure ipsec on the windows network

These are really just alternative ways of setting up a VPN.

> 5.) use webdav on apache with https

That would move you away from the SMB protocol entirely.

> 6.) using stunnel and Microsoft loopback adapter encrypt traffic.

Same as 1, 3, and 4.

> I was hoping to get something working without installing anything extra on the client and which could be natively support by windows.

No such puppy.

> CIFS is supposed to support encryption, I would have to check up on that.

If you mean CIFS the Linux file system, then you are correct.  It supports 
the Unix extensions to SMB and so, therefore, should support encrypted SMB 
traffic.  There just hasn't been time to add that feature yet.

If you mean CIFS the alternative name for the SMB protocol, then no.  I was 
lead author of Microsoft's [MS-CIFS] and [MS-SMB] specifications so I am 
quite sure about this.  There's no encryption of file data in the 
protocol...dangit.

Chris -)-----

> -----Original Message-----
> From: Steve French [mailto:smfrench@gmail.com]
> Sent: Thursday, July 28, 2011 9:23 PM
> To: Christopher R. Hertel
> Cc: Jeremy Allison; Dominic Dougherty; samba-technical@lists.samba.org; linux-cifs@vger.kernel.org
> Subject: Re: encryption on network
>
> On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel<crh@ubiqx.mn.org>  wrote:
>> Jeremy Allison wrote:
>> :
>>>> Right, but the question particularly listed WinXP as one of the
>>>> participating clients.  Windows clients don't support the Unix extensions,
>>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>>> eh?  [sad face]
>>>
>>> Yes I realize that. But that's not what you said. You said:
>>> "The SMB protocol does not provide any mechanism for encrypting traffic
>>> between clients and servers." - but that's not generically true,
>>> only between *Microsoft* clients and servers.
>>
>> Well... technically the SMB protocol (as it exists today) is defined by the
>> Microsoft specifications, and they don't include any support for encryption.
>>
>> There is, unfortunately, no "official" specification of the Unix extensions
>> for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
>> their name suggests, they're extensions to the protocol which means that
>> they're not part of the protocol itself.
>>
>>> You made it sound like that was definitive, and you are the
>>> acknowledged authority on CIFS/SMB, so I couldn't let that
>>> stand. People link to your posts here :-).
>>
>> Absolutely right to set the record straight.  I should have added the caveat
>> that the Unix extensions include support for encryption.
>>
>>>> Please allow me to join the choir on that.  (I'll sit at the back and not
>>>> get in anyone's way.)  [winky face]
>>>
>>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>>> us.. :-).
>>
>> Don't forget to click your heels together and burn the tana leaves when the
>> moon is full over Vermont.  ;)
>
> I haven't forgotten ... just queued up behind reviewing ~10 other patches.
>
>

-- 
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh@ubiqx.mn.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh@ubiqx.org

Re: encryption on network

[Dominic Dougherty]

One more option
Otfe with samba, but in this case you would need otfe on the client




-----Original Message-----
From: Christopher R. Hertel [crh-jFlgvBokg3lg9hUCZPvPmw@public.gmane.org]
Received: Thursday, 28 Jul 2011, 10:34pm
To: Dominic Dougherty [dominic.dougherty-cDnhz4gMPjZOSnsfY10OVw@public.gmane.org]
CC: Steve French [smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]; Jeremy Allison [jra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org]; samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org [samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org]; linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org [linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org]
Subject: Re: encryption on network



On 07/28/2011 09:11 PM, Dominic Dougherty wrote:
> Thanks guys,
>
> I know this is a interesting one and more than one way to solve it.
>
> 1.) install a vpn server which is natively support by any windows machine (PPTP or L2TP or IPSEC) on the samba server and establish a vpn connection to the samba server.

I actually prefer OpenVPN, since it runs well on so many platforms, but it's
important to go with whichever technology you are most comfortable running.

> 2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient.  Not support by the "net use" command.

This, as Jeremy so rightly pointed out, is based on the Unix extensions to SMB.

I whined earlier that there is no specification for this feature, but we
spent almost twenty years without a real specification for SMB itself.  Even
now, the [MS-SMB] and [MS-CIFS] docs from Microsoft are written to reflect
Windows behavior.  That is, the spec. has to match the product, not the
other way 'round.

> 3.) use sshfs on the samba server and install putty on the local windows box and use port forwarding to connect to the samba share.
> 4.) configure ipsec on the windows network

These are really just alternative ways of setting up a VPN.

> 5.) use webdav on apache with https

That would move you away from the SMB protocol entirely.

> 6.) using stunnel and Microsoft loopback adapter encrypt traffic.

Same as 1, 3, and 4.

> I was hoping to get something working without installing anything extra on the client and which could be natively support by windows.

No such puppy.

> CIFS is supposed to support encryption, I would have to check up on that.

If you mean CIFS the Linux file system, then you are correct.  It supports
the Unix extensions to SMB and so, therefore, should support encrypted SMB
traffic.  There just hasn't been time to add that feature yet.

If you mean CIFS the alternative name for the SMB protocol, then no.  I was
lead author of Microsoft's [MS-CIFS] and [MS-SMB] specifications so I am
quite sure about this.  There's no encryption of file data in the
protocol...dangit.

Chris -)-----

> -----Original Message-----
> From: Steve French [mailto:smfrench-Re5JQEeQqe8AvxtiuMwx3w@public.gmane.org]
> Sent: Thursday, July 28, 2011 9:23 PM
> To: Christopher R. Hertel
> Cc: Jeremy Allison; Dominic Dougherty; samba-technical-w/Ol4Ecudpl8XjKLYN78aQ@public.gmane.org; linux-cifs-u79uwXL29TY76Z2rM5mHXA@public.gmane.org
> Subject: Re: encryption on network
>
> On Thu, Jul 28, 2011 at 7:26 PM, Christopher R. Hertel<crh-jFlgvBokg3lg9hUCZPvPmw@public.gmane.org>  wrote:
>> Jeremy Allison wrote:
>> :
>>>> Right, but the question particularly listed WinXP as one of the
>>>> participating clients.  Windows clients don't support the Unix extensions,
>>>> so they don't support encrypted SMB and that kinda ruins the whole thing,
>>>> eh?  [sad face]
>>>
>>> Yes I realize that. But that's not what you said. You said:
>>> "The SMB protocol does not provide any mechanism for encrypting traffic
>>> between clients and servers." - but that's not generically true,
>>> only between *Microsoft* clients and servers.
>>
>> Well... technically the SMB protocol (as it exists today) is defined by the
>> Microsoft specifications, and they don't include any support for encryption.
>>
>> There is, unfortunately, no "official" specification of the Unix extensions
>> for SMB (only an old draft that doesn't include encryption, IIRC).  Also, as
>> their name suggests, they're extensions to the protocol which means that
>> they're not part of the protocol itself.
>>
>>> You made it sound like that was definitive, and you are the
>>> acknowledged authority on CIFS/SMB, so I couldn't let that
>>> stand. People link to your posts here :-).
>>
>> Absolutely right to set the record straight.  I should have added the caveat
>> that the Unix extensions include support for encryption.
>>
>>>> Please allow me to join the choir on that.  (I'll sit at the back and not
>>>> get in anyone's way.)  [winky face]
>>>
>>> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
>>> us.. :-).
>>
>> Don't forget to click your heels together and burn the tana leaves when the
>> moon is full over Vermont.  ;)
>
> I haven't forgotten ... just queued up behind reviewing ~10 other patches.
>
>

--
"Implementing CIFS - the Common Internet FileSystem" ISBN: 013047116X
Samba Team -- http://www.samba.org/     -)-----   Christopher R. Hertel
jCIFS Team -- http://jcifs.samba.org/   -)-----   ubiqx development, uninq.
ubiqx Team -- http://www.ubiqx.org/     -)-----   crh-jFlgvBokg3lg9hUCZPvPmw@public.gmane.org
OnLineBook -- http://ubiqx.org/cifs/    -)-----   crh-zuGDro9SezXYtjvyW6yDsg@public.gmane.org

Re: encryption on network

[Jeff Layton]

On Thu, 28 Jul 2011 17:14:35 -0700
Jeremy Allison <jra-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org> wrote:

> On Thu, Jul 28, 2011 at 07:08:04PM -0500, Christopher R. Hertel wrote:
> > Jeremy Allison wrote:
> > > On Thu, Jul 28, 2011 at 05:59:41PM -0500, Christopher R. Hertel wrote:
> > >> The network traffic is not encrypted.
> > >>
> > >> The SMB protocol does not provide any mechanism for encrypting traffic
> > >> between clients and servers.
> > > 
> > > As shipped by Microsoft :-). The UNIX extensions to SMB allow
> > > encrypted traffic between clients and servers and Samba has
> > > supported this for a long time (smbclient -e will encrypt
> > > traffic).
> > 
> > Right, but the question particularly listed WinXP as one of the
> > participating clients.  Windows clients don't support the Unix extensions,
> > so they don't support encrypted SMB and that kinda ruins the whole thing,
> > eh?  [sad face]
> 
> Yes I realize that. But that's not what you said. You said:
> "The SMB protocol does not provide any mechanism for encrypting traffic
> between clients and servers." - but that's not generically true,
> only between *Microsoft* clients and servers.
> 
> You made it sound like that was definitive, and you are the
> acknowledged authority on CIFS/SMB, so I couldn't let that
> stand. People link to your posts here :-).
> 
> > Please allow me to join the choir on that.  (I'll sit at the back and not
> > get in anyone's way.)  [winky face]
> 
> Maybe if we all wish REALLY HARD, Steve and Jeff will hear
> us.. :-).
> 

Sorry, just haven't heard great hue and cry for this feature (other
than from you, of course :). My next task for cifs is to make it do
parallel reads, but I haven't had time to start on that yet.

-- 
Jeff Layton <jlayton-eUNUBHrolfbYtjvyW6yDsg@public.gmane.org>

Re: encryption on network

[simo]

On Thu, 2011-07-28 at 21:34 -0500, Christopher R. Hertel wrote:
> On 07/28/2011 09:11 PM, Dominic Dougherty wrote:

> > 2.) the newer version of samba supports SSL. However, the only valid client for this is smbclient.  Not support by the "net use" command.
> 
> This, as Jeremy so rightly pointed out, is based on the Unix extensions to SMB.

No, that's gssapi based encryption, we used to have support for SSL
encryption in the past (using a very nasty hack) but I think we removed
that support way back during the 3.0.x series.


-- 
Simo Sorce
Samba Team GPL Compliance Officer <simo@samba.org>
Principal Software Engineer at Red Hat, Inc. <simo@redhat.com>

Re: encryption on network

[Jeremy Allison]

On Fri, Jul 29, 2011 at 06:16:10AM -0400, Jeff Layton wrote:
> 
> Sorry, just haven't heard great hue and cry for this feature (other
> than from you, of course :). My next task for cifs is to make it do
> parallel reads, but I haven't had time to start on that yet.

The reason you haven't heard requests for this feature (IMHO) is
that no one knows it's even possible. It's been in the server
and client libraries for abouut 5+ years (if my memory serves
me right). Once you make it available in CIFSFS I think you'll
find a whole host of opportunities will open up for CIFS use
that weren't there before from people who need secure transport but
don't want to set up IPsec.

Jeremy.