Diff for /wikisrc/tutorials/how_to_secure_samba_with_stunnel.mdwn between versions 1.1 and 1.2

version 1.1, 2011/11/20 20:55:21 version 1.2, 2012/02/05 07:14:36
Line 1 Line 1
 SMB aka CIFS (common internet file system) is a ubiquitous file sharing mechanism, but unfortunately it is very insecure. All files are sent clear over the line, and if you don't config password encryption, even passwords are sent as cleartext.  SMB aka CIFS (common internet file system) is a ubiquitous file sharing mechanism, but unfortunately it is very insecure. All files are sent clear over the line, and if you don't config password encryption, even passwords are sent as cleartext. 
   
 There is currently no built-in encryption or security in the CIFS protocol, nor is there any available as an extension to Samba, so we'll have to resort to external methods.  There is currently no built-in encryption or security in the CIFS protocol, nor is there any available as an extension to Samba, so we'll have to resort to external methods. 
   
 One of the nicer ways to secure Samba is by using [stunnel](http://www.stunnel.org). This is a little tool which listens on a port on the client machine and forwards all data sent to that port to another port/machine, encrypted via (Open)SSL.  One of the nicer ways to secure Samba is by using [stunnel](http://www.stunnel.org). This is a little tool which listens on a port on the client machine and forwards all data sent to that port to another port/machine, encrypted via (Open)SSL. 
   
 **Contents**  **Contents**
   
 [[!toc levels=2]]  [[!toc levels=2]]
   
 #  Setting up the server  #  Setting up the server 
   
 #  Configure samba  #  Configure samba 
   
 You set up the server just as you would normally, as described in [[How to set up a Samba Server]].  You set up the server just as you would normally, as described in [[How to set up a Samba Server]]. 
   
 If you wish to allow _only_ secure traffic, you can let it listen on localhost with the following statement in `smb.conf`:  If you wish to allow _only_ secure traffic, you can let it listen on localhost with the following statement in `smb.conf`: 
          
     # Only listen on loopback interface      # Only listen on loopback interface
     socket address=127.0.0.1      socket address=127.0.0.1
          
   
 #  Configure stunnel  #  Configure stunnel 
   
 You can install [security/stunnel](http://pkgsrc.se/security/stunnel) from [[pkgsrc/pkgsrc]]. Then you can copy `/usr/pkg/share/examples/stunnel/stunnel.conf-sample` and modify it to your needs. The following will be sufficient if you only need the bare minimum to get a secure samba setup:  You can install [security/stunnel](http://pkgsrc.se/security/stunnel) from [[pkgsrc/pkgsrc]]. Then you can copy `/usr/pkg/share/examples/stunnel/stunnel.conf-sample` and modify it to your needs. The following will be sufficient if you only need the bare minimum to get a secure samba setup: 
          
   
 # Simple stunnel configuration for a secure samba setup ####  # Simple stunnel configuration for a secure samba setup ####
     # OpenSSL certificate      # OpenSSL certificate
     cert = /usr/pkg/etc/stunnel/stunnel.pem      cert = /usr/pkg/etc/stunnel/stunnel.pem
     # Run chrooted as nobody      # Run chrooted as nobody
     chroot = /var/run/stunnel      chroot = /var/run/stunnel
     setuid = nobody      setuid = nobody
     setgid = nobody      setgid = nobody
     # This file is created after chrooting      # This file is created after chrooting
     pid = /stunnel      pid = /stunnel
          
     # Accept connections on port 800, on any interface      # Accept connections on port 800, on any interface
     [smb]      [smb]
     accept  = 0.0.0.0:800      accept  = 0.0.0.0:800
     # instead of port 139, port 445 will also work, unless you're using Mac OS X clients      # instead of port 139, port 445 will also work, unless you're using Mac OS X clients
     connect = localhost:139      connect = localhost:139
          
   
 As you can see, you'll need an SSL certificate/key. This can be generated like this:  As you can see, you'll need an SSL certificate/key. This can be generated like this: 
          
     # openssl req -new -nodes -x509 -out stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem      # openssl req -new -nodes -x509 -out stunnel/stunnel.pem -keyout /etc/stunnel/stunnel.pem
          
   
 #  Run stunnel  #  Run stunnel 
   
 Just add `stunnel=yes` to your `/etc/rc.conf`:  Just add `stunnel=yes` to your `/etc/rc.conf`: 
          
     # echo "stunnel=yes" >> /etc/rc.conf      # echo "stunnel=yes" >> /etc/rc.conf
     # /etc/rc.d/stunnel start      # /etc/rc.d/stunnel start
          
   
 **Warning**: stunnel is very silent. Even if it gets an error it will just fail silently. Check with `pgrep` if it's running.  **Warning**: stunnel is very silent. Even if it gets an error it will just fail silently. Check with `pgrep` if it's running. 
   
 #  Configuring your clients  #  Configuring your clients 
   
 #  Unix clients  #  Unix clients 
   
 On a Unix client you simply install and run [security/stunnel](http://pkgsrc.se/security/stunnel) as described above. You'll need to swap the port numbers and put it in client mode. ie, your `stunnel.conf` should look like this:  On a Unix client you simply install and run [security/stunnel](http://pkgsrc.se/security/stunnel) as described above. You'll need to swap the port numbers and put it in client mode. ie, your `stunnel.conf` should look like this: 
          
   
 client=yes;  client=yes;
     [smb]      [smb]
     accept=localhost:139      accept=localhost:139
     connect=servername:800      connect=servername:800
          
   
 This makes your client act as a samba server, to which you can connect. As soon as you connect to your machine, the data is encrypted and forwarded to `servername`. You can run stunnel from `rc.conf` just like on the server side.  This makes your client act as a samba server, to which you can connect. As soon as you connect to your machine, the data is encrypted and forwarded to `servername`. You can run stunnel from `rc.conf` just like on the server side. 
   
 Of course you can easily test it by connecting to localhost:  Of course you can easily test it by connecting to localhost: 
          
     # smbclient -U yoda //localhost/myshare      # smbclient -U yoda //localhost/myshare
          
   
 #  Windows clients  #  Windows clients 
   
 Connecting a Windows client to samba over stunnel is a major hassle. Some background on why this is a problem is in order.  Connecting a Windows client to samba over stunnel is a major hassle. Some background on why this is a problem is in order. 
   
 Apparently, when Windows is booted, the kernel binds a socket to port 445 on every **real** (this is important as we'll see later on) network interface. This means that no other process can ever bind this port. (try it, you'll get a "permission denied" message). This would mean we need to use another port for our fake "shared folder". Unfortunately, the Windows filemanager has no way to specify which port to use when you click "map network drive", so that's not an option.  Apparently, when Windows is booted, the kernel binds a socket to port 445 on every **real** (this is important as we'll see later on) network interface. This means that no other process can ever bind this port. (try it, you'll get a "permission denied" message). This would mean we need to use another port for our fake "shared folder". Unfortunately, the Windows filemanager has no way to specify which port to use when you click "map network drive", so that's not an option. 
   
 Luckily for us, Windows has the following odd behaviour: When you click "map network drive" in the filemanager, it will first try to connect to port 445. When it finds no service listening there, it will try to fall back to port 139. Only when that has no service listening either, it will tell the user it couldn't connect. We will "abuse" this behaviour by tricking it into using this port.  Luckily for us, Windows has the following odd behaviour: When you click "map network drive" in the filemanager, it will first try to connect to port 445. When it finds no service listening there, it will try to fall back to port 139. Only when that has no service listening either, it will tell the user it couldn't connect. We will "abuse" this behaviour by tricking it into using this port. 
   
 Simply binding stunnel to port 139 is impossible, because of the Windows behaviour where it binds ports 139 and 445 on every interface, even if no actual files are being shared. It turns out that it doesn't do this on loopback network devices. To install one, follow this set of instructions:  Simply binding stunnel to port 139 is impossible, because of the Windows behaviour where it binds ports 139 and 445 on every interface, even if no actual files are being shared. It turns out that it doesn't do this on loopback network devices. To install one, follow this set of instructions: 
   
   1. Open the "add hardware" wizard from the control panel.    1. Open the "add hardware" wizard from the control panel. 
   2. Wait for it to search in vain for new hardware.    2. Wait for it to search in vain for new hardware. 
   3. Tell it "yes, I've already connected my hardware" or the wizard will end...    3. Tell it "yes, I've already connected my hardware" or the wizard will end... 
   4. Pick "add a new device" from the bottom of the list.    4. Pick "add a new device" from the bottom of the list. 
   5. Don't let windows search for the hardware but choose it from a list ("Advanced").    5. Don't let windows search for the hardware but choose it from a list ("Advanced"). 
   6. Pick the category "Network adapters".    6. Pick the category "Network adapters". 
   7. Choose "Microsoft loopback adapter".    7. Choose "Microsoft loopback adapter". 
   
 When our new "hardware" is installed, you need to assign it an IP and disable NetBIOS activity on it:  When our new "hardware" is installed, you need to assign it an IP and disable NetBIOS activity on it: 
   
   1. Open the "properties" dialog from the contextmenu in the "network connections" overview.    1. Open the "properties" dialog from the contextmenu in the "network connections" overview. 
   2. Deselect all bindings except the TCP/IP ones. Typically you'll need to deselect "client for Microsoft networks" and "File and printer sharing".    2. Deselect all bindings except the TCP/IP ones. Typically you'll need to deselect "client for Microsoft networks" and "File and printer sharing". 
   3. Select "TCP/IP", and then "settings" (or "properties")    3. Select "TCP/IP", and then "settings" (or "properties") 
   4. Choose any private network IP address you'll never see in any real network. (10.232.232.232 is a good example)    4. Choose any private network IP address you'll never see in any real network. (10.232.232.232 is a good example) 
   5. Click "Advanced..."    5. Click "Advanced..." 
   6. Choose the tab titled "WINS"    6. Choose the tab titled "WINS" 
   7. Under "NetBIOS settings", click on "Disable NetBIOS over TCP/IP"    7. Under "NetBIOS settings", click on "Disable NetBIOS over TCP/IP" 
   
 Finally, we can install stunnel (Windows binaries are available from [[1]](http://www.stunnel.org). Put this in the `stunnel.conf` file:  Finally, we can install stunnel (Windows binaries are available from [[1]](http://www.stunnel.org). Put this in the `stunnel.conf` file: 
          
 client=yes  client=yes
     [smb]      [smb]
     accept=10.232.232.232:139      accept=10.232.232.232:139
     connect=servername:800      connect=servername:800
          
   
 It is advisable to install the stunnel service so it will start on system boot, which means it will be (semi-)transparent to the user.  It is advisable to install the stunnel service so it will start on system boot, which means it will be (semi-)transparent to the user. 
   
 To connect to the server, just open up the "map network drive" dialog and enter `\\10.232.232.232\sharename` in the "computer name" box. To make this process a little more userfriendly, think up a hostname and stick it in `\winnt\system32\drivers\etc\hosts` (windows NT/XP) or `\windows\hosts` (Windows '9x). The format of this file is exactly like `/etc/hosts` on Unix.  To connect to the server, just open up the "map network drive" dialog and enter `\\10.232.232.232\sharename` in the "computer name" box. To make this process a little more userfriendly, think up a hostname and stick it in `\winnt\system32\drivers\etc\hosts` (windows NT/XP) or `\windows\hosts` (Windows '9x). The format of this file is exactly like `/etc/hosts` on Unix. 
   
 #  References  #  References 
   
   * [stunnel website; how to create an SSL key](http://www.stunnel.org/faq/certs.html#ToC5)    * [stunnel website; how to create an SSL key](http://www.stunnel.org/faq/certs.html#ToC5)
   * [A mail on FreeBSD-questions from some poor guy who found out how to do this after many months](http://lists.freebsd.org/pipermail/freebsd-questions/2006-May/120797.html)    * [A mail on FreeBSD-questions from some poor guy who found out how to do this after many months](http://lists.freebsd.org/pipermail/freebsd-questions/2006-May/120797.html)
   

Removed from v.1.1  
changed lines
  Added in v.1.2


CVSweb for NetBSD wikisrc <wikimaster@NetBSD.org> software: FreeBSD-CVSweb