Security issues when using Samba?
Good morning people! I have apache running on a linux-machine. Now the guy who cares about the www-sites doesn´t want to log into the linux-machine to update the sites (let´s say with scp) but he wants just to copy the new files on a network device on his windows-machine on which he wants to mount the httpd-directories of the linux-machine then running samba. My question is: is it secure to let samba authenticate a user on the linux-machine (lets say a current user "webmaster" who only owns the needed directories)? Does the option "encrypt passwords=yes" provide an acceptable level of security (this last question is may be OT?)? Between the www-guy´s machine and the linux-machine are two or three routers, the whole network is about 150 machines big. All this other machines must be considered untrusted. Any of the files exported by samba are public, so no encryption of data is need. Any other suggestions concerning security in this case? Thanks a lot! Anibal
On Mon, 23 Oct 2000, Anibal Vasquez wrote:
My question is: is it secure to let samba authenticate a user on the linux-machine (lets say a current user "webmaster" who only owns the needed directories)? Does the option "encrypt passwords=yes" provide an acceptable level of security (this last question is may be OT?)?
Between the www-guy´s machine and the linux-machine are two or three routers, the whole network is about 150 machines big. All this other machines must be considered untrusted. Any of the files exported by samba are public, so no encryption of data is need.
Encrypted passwords does inhibit cleartext passwords for samba on the net. AFAIK there is no further host authentication done by samba (maybe when used as NT-PDC?). Any machine on the net can record and playback the password. You can use sambas "hosts allow" to make it listen only to specific IPs. If you really have to consider spoofed IPs that doesn't help either. Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords. Ideally if you can have a linux box on his end as well and then do a VPN using swan you can be sure your communications are not being tapped. Otherwise for me I use a web based interface for users who want to upload their pages using mod_dav and webrfm and of course I use ssl for it.
semat wrote:
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords.
I really don't believe this is true. IMHO Samba's password encryption mode does provide true password encryption (although I don't quite know how good this encryption is).
On Mon, 23 Oct 2000, Lars Trebing wrote:
semat wrote:
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords.
I really don't believe this is true. IMHO Samba's password encryption mode does provide true password encryption (although I don't quite know how good this encryption is).
AIAK the encryption is OK (MD5 or so). The only problem is that the enrypted password is used as a cookie. It is just compared to the value in smbpasswd. If anyone gets your smbpasswd he can use the value to authenticate. This is different from the way unix login works where you still have to solve the backward problem to regenerate a password from a crypt value to break in. Cheers Robert -- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
From the samba-2.0.7/docs/textdocs/ENCRYPTION.txt: <samba-docs> LanManager encryption is somewhat similar to UNIX password encryption. The server uses a file containing a hashed value of a user's password. This is created by taking the user's plaintext
The encryption is easily breakable see http://www.l0pht.com/l0phtcrack/ password, capitalising it, and either truncating to 14 bytes (or padding to 14 bytes with null bytes). This 14 byte value is used as two 56 bit DES keys to encrypt a 'magic' eight byte value, forming a 16 byte value which is stored by the server and client. Let this value be known as the *hashed password*. Windows NT encryption is a higher quality mechanism, consisting of doing an MD4 hash on a Unicode version of the user's password. This also produces a 16 byte hash value that is non-reversible. </samba-docs> The information is out there if you just look for it. -miah On Mon, Oct 23, 2000 at 03:54:43PM +0200, Robert Casties wrote:
On Mon, 23 Oct 2000, Lars Trebing wrote:
semat wrote:
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords.
I really don't believe this is true. IMHO Samba's password encryption mode does provide true password encryption (although I don't quite know how good this encryption is).
AIAK the encryption is OK (MD5 or so). The only problem is that the enrypted password is used as a cookie. It is just compared to the value in smbpasswd. If anyone gets your smbpasswd he can use the value to authenticate.
This is different from the way unix login works where you still have to solve the backward problem to regenerate a password from a crypt value to break in.
Cheers Robert
-- Robert Casties --------------------- http://philoscience.unibe.ch/~casties History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0)
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Be aware though, that the LANMAN and NT encryption methods do not "salt" the encryption, so if two users happen to choose the same password, the encrypted hash for each user will look the same. Hence, if you know one password, you actually know both. Also, if the password is 7 or fewer characters, only the first half of the 14 byte hash is required to crack the password. - Hreman On Mon, 23 Oct 2000 jjohnson@penguincomputing.com wrote: ->>The encryption is easily breakable see http://www.l0pht.com/l0phtcrack/ ->> ->>>From the samba-2.0.7/docs/textdocs/ENCRYPTION.txt: ->><samba-docs> ->>LanManager encryption is somewhat similar to UNIX password ->>encryption. The server uses a file containing a hashed value of a ->>user's password. This is created by taking the user's plaintext ->>password, capitalising it, and either truncating to 14 bytes (or ->>padding to 14 bytes with null bytes). This 14 byte value is used as ->>two 56 bit DES keys to encrypt a 'magic' eight byte value, forming a ->>16 byte value which is stored by the server and client. Let this value ->>be known as the *hashed password*. ->> ->>Windows NT encryption is a higher quality mechanism, consisting ->>of doing an MD4 hash on a Unicode version of the user's password. This ->>also produces a 16 byte hash value that is non-reversible. ->></samba-docs> ->> ->>The information is out there if you just look for it. ->> ->>-miah ->> ->>On Mon, Oct 23, 2000 at 03:54:43PM +0200, Robert Casties wrote: ->>> On Mon, 23 Oct 2000, Lars Trebing wrote: ->>> ->>> > semat wrote: ->>> > ->>> > > the probelm is that the password is still trasmitted over the network ->>> > > in clear text thus anyone running a sniffer on the network may be ->>> > > able to get your passwords. ->>> > ->>> > I really don't believe this is true. IMHO Samba's password encryption ->>> > mode does provide true password encryption (although I don't quite know ->>> > how good this encryption is). ->>> ->>> AIAK the encryption is OK (MD5 or so). The only problem is that the ->>> enrypted password is used as a cookie. It is just compared to the value in ->>> smbpasswd. If anyone gets your smbpasswd he can use the value to ->>> authenticate. ->>> ->>> This is different from the way unix login works where you still have to ->>> solve the backward problem to regenerate a password from a crypt value to ->>> break in. ->>> ->>> Cheers ->>> Robert ->>> ->>> -- ->>> Robert Casties --------------------- http://philoscience.unibe.ch/~casties ->>> History & Philosophy of Science Tel: +41/31/631-8505 Room: 216 ->>> Institute for Exact Sciences Sidlerstrasse 5, CH-3012 Bern ->>> Uni Bern (PGP key on homepage: D7 2B DE 64 2D 65 16 A0) ->>> ->>> ->>> --------------------------------------------------------------------- ->>> To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>> For additional commands, e-mail: suse-security-help@suse.com ->> ->>--------------------------------------------------------------------- ->>To unsubscribe, e-mail: suse-security-unsubscribe@suse.com ->>For additional commands, e-mail: suse-security-help@suse.com ->>
Hi. On Mon, 23 Oct 2000 jjohnson@penguincomputing.com wrote:
The encryption is easily breakable see http://www.l0pht.com/l0phtcrack/
From the samba-2.0.7/docs/textdocs/ENCRYPTION.txt: <samba-docs> LanManager encryption is somewhat similar to UNIX password encryption. The server uses a file containing a hashed value of a [snip] </samba-docs>
If you read on, you will see that this hashed password is not transfered over the network, but instead used as a key in a challenge response authentication scheme. That is secure, as far as the password (or its hash) are concerned.
The information is out there if you just look for it.
Just my saying.
-miah
olli -- -------------------------------------- Oliver Hensel <oliver.hensel@gmx.net> <ohensel@security-academy.de> http://www.ohensel.de/ Training + Consulting Unix - Linux - Firewalls - Security --------------------------------------
Actually I am not a samba expert but I remember that turning on the password encryption feature in samba enables the use of the /etc/smbpasswd file and it is in this file that the password is encrypted but when it is being transmitted over the network to the authenticating server i.e the samba server it is sent as clear text. I do not think that the windows machine encrypts the password before sending it to the server for authentication. however the samba server encrypts the clear text password it gets and compares it with what it already has in its password file. I could be wrong but I think it is almost like the usual user authentication in a telnet session. On Mon, 23 Oct 2000, Lars Trebing wrote:
semat wrote:
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords.
I really don't believe this is true. IMHO Samba's password encryption mode does provide true password encryption (although I don't quite know how good this encryption is).
I've hear that a new bind exploit is currently being used. Couldn't get it yet, but some people I known already have a copy of it. Anyone has more up-to-date info? []s Davi
Do a search on bind 8.2.2 at www.cert.org!! Cheers davi@avati.com.br wrote:
I've hear that a new bind exploit is currently being used. Couldn't get it yet, but some people I known already have a copy of it.
Anyone has more up-to-date info?
[]s Davi
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Hi, first I think this thread should be on a samba tech list instead. IIRC win98/2K/ME and 95 and NT beginning with a servicepack will transport the passwords encrypted. I do not know what filesharing systems was to be treated as secure in an untrusted environment. There are more than oprion: Coda, NFS, NW, and others that have (free)Win clients. Why donŽt you use a standard FTP connection? mike
Hi, Thomas Michael Wanka wrote:
first I think this thread should be on a samba tech list instead.
I am very sorry if my question was OT. I asked about security issues when using samba, which is shipped with the SuSE distribution and is discused in the SuSE documentation. Is there a samba-security list?
IIRC win98/2K/ME and 95 and NT beginning with a servicepack will transport the passwords encrypted.
Yes, that´s right. But I asked about samba...
I do not know what filesharing systems was to be treated as secure in an untrusted environment. There are more than oprion: Coda, NFS, NW, and others that have (free)Win clients. Why don´t you use a standard FTP connection?
Because the www-guy wants a windows network device! Thanks for your answer, Anibal
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords. Ideally if you can have a linux box on his end as well and then do a VPN using swan you can be sure your communications are not being tapped. Otherwise for me I use a web based interface for users who want to upload their pages using mod_dav and webrfm and of course I use ssl for it.
Here we go merrily smoking crack again~ SMB can use encrypted passwords. [seifried@stench seifried]$ grep pass /etc/samba/smb.conf encrypt passwords = Yes password server = 10.3.0.20 You can also SSL wrap all SMB communications (yes, windows supports it). From man smb.conf: o ssl o ssl CA certDir o ssl CA certFile o ssl ciphers o ssl client cert o ssl client key o ssl compatibility o ssl hosts o ssl hosts resign o ssl require clientcert o ssl require servercert o ssl server cert o ssl server key o ssl version Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
Uhm, windows does not support ssl tunneled CIFS. Currently there are only two things that support it. See samba-2.0.7/docs/textdocs/SSLeay.txt. If you can show me documents that explain how to connect a windows computer to a samba server with ssl enabled fine, until then samba's documentation says: <start> Which clients are available that support SSL? ============================================= Currently there are only smbclient which is part of the samba package and Sharity. Sharity versions newer than 0.14 in the beta branch and 1.01 in the main branch can be compiled with SSLeay. Sharity is a CIFS/SMB client implementation for Unix. It is a commercial product, but it is available in source code and the demo-mode allows access to the first three layers of the mounted directory hierarchy. Licenses for universities and students are free. Sharity is available at </start> Documentation is a good thing, but only if you read it. -miah On Mon, Oct 23, 2000 at 12:00:51PM -0600, Kurt Seifried wrote:
the probelm is that the password is still trasmitted over the network in clear text thus anyone running a sniffer on the network may be able to get your passwords. Ideally if you can have a linux box on his end as well and then do a VPN using swan you can be sure your communications are not being tapped. Otherwise for me I use a web based interface for users who want to upload their pages using mod_dav and webrfm and of course I use ssl for it.
Here we go merrily smoking crack again~
SMB can use encrypted passwords.
[seifried@stench seifried]$ grep pass /etc/samba/smb.conf encrypt passwords = Yes password server = 10.3.0.20
You can also SSL wrap all SMB communications (yes, windows supports it). From man smb.conf:
o ssl o ssl CA certDir o ssl CA certFile o ssl ciphers o ssl client cert o ssl client key o ssl compatibility o ssl hosts o ssl hosts resign o ssl require clientcert o ssl require servercert o ssl server cert o ssl server key o ssl version
Kurt Seifried - seifried@securityportal.com SecurityPortal, your focal point for security on the net http://www.securityportal.com/
--------------------------------------------------------------------- To unsubscribe, e-mail: suse-security-unsubscribe@suse.com For additional commands, e-mail: suse-security-help@suse.com
Uhm, windows does not support ssl tunneled CIFS. Currently there are only two things that support it. See samba-2.0.7/docs/textdocs/SSLeay.txt. If you can show me documents that explain how to connect a windows computer to a samba server with ssl enabled fine, until then samba's documentation says:
Crap. I could swear I read it does somewhere. Really. I did, I'm not hallucinating..... Ouch. that needle hurts. Hmmm. Nothing on google, or microsoft.com, I guess yer right =(. Well you can use IPSec in any event, Linux sort of supports it (www.freeswan.org) and Windows has many cheap client (PGP for example does IPSec). -Kurt
* Kurt Seifried wrote on Mon, Oct 23, 2000 at 14:29 -0600:
Well you can use IPSec in any event, Linux sort of supports it (www.freeswan.org) and Windows has many cheap client (PGP for example does IPSec).
Well, I think it's not a simple task to connect FreeS/WAN and PGP Net stuff, ain't? Did you made this? I've heard it's not that simple... With Windows 2000, it's much more easy to connect to FreeS/WAN. But massive IPSec in a LAN is a little big overhead when you only need encrypted passwords :) But this depends on the topology, i.e. if there may be access to the ethernet segment it's difficult to secure it. maybe it's easier to protect the LAN and firewall the access, if possible. oki, Steffen -- Dieses Schreiben wurde maschinell erstellt, es trägt daher weder Unterschrift noch Siegel.
Well, I think it's not a simple task to connect FreeS/WAN and PGP Net stuff, ain't? Did you made this? I've heard it's not that simple...
With Windows 2000, it's much more easy to connect to FreeS/WAN. But massive IPSec in a LAN is a little big overhead when you only need encrypted passwords :) But this depends on the topology, i.e. if there may be access to the ethernet segment it's difficult to secure it. maybe it's easier to protect the LAN and firewall the access, if possible.
Samba/windows XXXX will do encrypted passwords fine, it's not 100% perfect (the LANMAN hash MS uses is "weak" no salt/etc, but it will stop 99% of attackers dead). IPSec is a bit harsh on the CPU, especially for the servers, however you can get cheap network cards (like intel 10/100 server adaptors for $100 US which do triple des stinky fast) which have crypt chips onboard to accelerate it, Windows and OpenBSD support them, Linux does not however =(. Sigh. And people wonder why I hate every OS on the planet =) They all suck!
oki,
Steffen
-Kurt
Well, I think it's not a simple task to connect FreeS/WAN and PGP Net stuff, ain't? Did you made this? I've heard it's not that simple...
I found it fairly simple to connect the FreeS/WAN package with SuSE 6.4 and PGPi 6.5.1 PGPNet. You have to adjust a couple of parameters in the PGP setup such as the perfect forward security setting. I did an online search for PGP and IPSec and found a FAQ that detailed exactly what to change. I think this URL: http://www.freeswan.org/freeswan_trees/freeswan-1.5/doc/compatibility.html helped with the setup. Stephen --- I can please only one person per day. Today is not your day. Tomorrow isn't looking good either.
At 05:28 PM 24/10/2000, you wrote:
* Kurt Seifried wrote on Mon, Oct 23, 2000 at 14:29 -0600:
Well you can use IPSec in any event, Linux sort of supports it (www.freeswan.org) and Windows has many cheap client (PGP for example does IPSec).
Well, I think it's not a simple task to connect FreeS/WAN and PGP Net stuff, ain't? Did you made this? I've heard it's not that simple...
I have done this.. It is not that difficult and there are docs linked from freeswan.org
With Windows 2000, it's much more easy to connect to FreeS/WAN. But massive IPSec in a LAN is a little big overhead when you only need encrypted passwords :) But this depends on the topology, i.e. if there may be access to the ethernet segment it's difficult to secure it. maybe it's easier to protect the LAN and firewall the access, if possible.
oki,
Steffen
participants (14)
-
Anibal Vasquez -
davi@avati.com.br -
Herman Knief -
Ian Golding -
jjohnson@penguincomputing.com -
Kurt Seifried -
Lars Trebing -
Nix -
Oliver Hensel -
Robert Casties -
semat -
Steffen Dettmer -
Stephen Thompson -
Thomas Michael Wanka