1
Version 1.0 April 2009
VSSN Advanced Technology Center
©Copyright 2009 Hewlett-Packard Company
HP CIFS Server
and
2
Legal Notices
The information in this document is subject to change without notice.
Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.
Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement
parts can be obtained from your local Sales and Service Office.
Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as
set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.
Hewlett-Packard Company 19420 Homestead Road
Cupertino, California 95014 U.S.A.
Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited.
Copyright Notices
©copyright 1983-2009 Hewlett-Packard Company, all rights reserved.
Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.
©copyright 1979, 1980, 1983, 1985-96, 2000 Regents of the University of California. This software is based in part on the Fourth Berkeley Software Distribution under license from the regents of the University of California. ©copyright 1986-2009 Microsoft, Inc.
3
Table of Contents
Legal Notices ... 2 Table of Contents... 3 Introduction... 4 Overview... 5HP CIFS Server Configuration ... 6
Secure Shell ... 6
Configuration... 6
Windows Client Configuration ... 8
Windows Loopback Adapter... 8
Loopback Adapter Properties... 12
Non-Plug and Play Drivers... 14
Client Proxy Server Configuration ... 16
Putty SSH Client Configuration... 17
CIFS/Samba Share Access ... 20
Connection Details... 21
Introduction
HP CIFS Server with Windows or other Server Message Block (SMB) clients does not have
configurable encryption options for data being transmitted over-the-wire, and therefore SMB is not considered a secure protocol. The Windows 2008 and Vista enabled SMB2 does not add
encryption capability. For installations that require over-the-wire data encryption for SMB client-server connections, a custom deployment is required.
A custom deployment for SMB-connection data transmission can be accomplished using free-of-charge and commonly available components. However, the configuration is not persistent over connections or reboots and actually may temporarily disable some client functionality (like web browsing). In addition, the details are borderline confusing and may not be appropriate for the average enterprise user.
Use this paper as a task-driven example of how to configure an encrypted Vista client SMB connection to an HP CIFS Server share.
Overview
Configuring an encrypted SMB session is often referred to as "tunneling", and usually employs Secure Shell (SSH) on the client and server. The following deployment uses an SSH client (Putty) on Windows Vista, and HP-UX SSH on the HP CIFS Server. Kerberos authentication is used for the Windows domain user access.
HP CIFS Server (Samba) is highly configurable and flexible, and thus has many possible configuration scenarios. The following tunneling deployment is shown using Windows Active Directory as the authenticating domain, and the HP CIFS Server (and HP-UX) participating in the domain under Unified Login domain membership. Details on Kerberos authentication of HP CIFS Server and Unified Login can be retrieved from the following whitepapers:
http://www.docs.hp.com/en/14985/HPCIFSKerberosV105.pdf http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf
The following configuration components are used for this example of SMB SSH tunneling: HP-UX 11iv3
HP CIFS Server version A.02.04 (Samba 3.0.30)
HP CIFS Server version A.02.03.04 (Samba 3.0.22 plus various fixes up to 3.0.28a) HP CIFS Server Unified Login Configuration
Windows 2003R2 Active Directory Domain Windows Vista SP1
Putty version 0.60 Mozilla version 3.0.8
HP CIFS Server Configuration
The HP CIFS Server configuration used in this example is the same configuration from the “Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2” whitepaper, located here:
http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf
CIFS Server is using Kerberos for authentication, and a Microsoft Windows 2003R2 KDC and domain controller.
Secure Shell
HP-UX Secure Shell supports several authentication methods. For this example SSH will be configured using Kerberos authentication because it integrates into the same existing Unified Login design that has been shown for CIFS and Secure Internet Services. While SSH uses the same secure
authentication protocol as used in CIFS authentication, it provides additional security by encrypting data transfers over the SSH tunnel. The tunneling feature of SSH has many configuration options, but the purpose of this example is to show how to integrate Windows-initiated server-side tunneling. Therefore, primarily default SSH options will be used.
HP-UX SSH is a separate product that must be installed on the tunneling server. In this example, a tunnel will be created between our HP-UX CIFS Server and Windows client.
HP-UX Secure Shell (SSH)
# swlist -l product | grep -i secure
Secure_Shell A.05.10.007 HP-UX Secure Shell
NOTE: Like the other HP-UX software products, SSH is available for free at www.software.hp.com. Configuration
SSH using Kerberos authentication is compatible with the default configuration file settings. The SSH configuration files are:
/opt/ssh/etc/ssh_config /opt/ssh/etc/sshd_config
Verify that the /opt/ssh/etc/sshd_config file has these settings: PasswordAuthentication yes
UsePAM yes
KerberosAuthentication yes
Now /etc/pam.conf must be modified to enable SSH. Add the following lines to the authentication section:
sshd auth required libpam_hpsec.so.1 sshd auth sufficient libpam_krb5.so.1
Add the following lines to the account section: sshd account required libpam_hpsec.so.1 sshd account sufficient libpam_krb5.so.1 sshd account required libpam_unix.so.1
Our existing CIFS Server Kerberos krb5.conf and krb5.keytab files (from the Unified Login
configuration) are compatible with SSH, so using our existing configuration, the systems are ready to execute an SSH tunnel using Kerberos authentication.
No other special CIFS or HP-UX configuration is required.
Windows Client Configuration
The SSH client for Windows is Putty, which is a free client application that provides SSH, Telnet, and a terminal emulator. Use Putty version 0.60, which can be downloaded from:
http://www.chiark.greenend.org.uk/~sgtatham/putty/
Putty will be used to configure the SSH tunnel from the Windows client to the HP CIFS Server.
Windows Loopback Adapter
The tunneling solution on the client requires the re-direction of port 139 (for Windows XP) and 139 plus 445 (for Windows Vista). To do this without disabling file sharing on the client requires the installation of a Network Loopback Adapter. Fortunately this is easy to do, and does not require additional downloads.
From the Windows Vista Control Panel, open the Device Manager, select the computer name, right click and choose “Add legacy hardware”.
Select “Install the hardware that I manually select from a list(Advanced)".
Choose Microsoft Loopback Adapter,
Now the Vista client has a Loopback Adapter installed, which is visible from the Vista Network and Sharing Center (see screenshot in the next section).
Loopback Adapter Properties
After the Loopback Adapter is added, the network properties must be configured. Open the Network and Sharing Center, then select the properties for the new local area network connection – this will likely be Local Area Connection 2.
Now enter a dummy IP address for the Loopback adapter – 10.0.0.1 is often used.
Non-Plug and Play Drivers
The next step is to go back to the Vista Device Manager and configure the “Non-Plug and Play TCP/IP Driver”. First, select "Show Hidden Devices" on the Device Manager.
Select "Message-Oriented TCP/IP and TCP/IPv6 (SMB Session)".
Client Proxy Server Configuration
Next we remove any client proxy server configuration. Using Mozilla or Explorer, go to the LAN connection settings screen (Mozilla is shown).
Putty SSH Client Configuration
Start your Putty client, and prepare to save your SSH client configuration so that it is easily available to re-configure. This saved configuration must be enabled for every instance of the SSH connection to a specific server. When the Putty connection is terminated, the SSH tunnel is lost and must be re-started when Putty is executed again, so saving the configuration for an easy re-load is the recommended practice.
Below, the saved SSH tunnel configuration is "loopbacksmb139_445". Select SSH as the connection type and the CIFS Server IP address or host name.
Next, select SSH and expand the Tunnels option. Observe the "Forwarded ports:" window in the graphic below. By default this window is blank. Enter the following data to achieve a correct configuration: in the "Source port" window, enter "10.0.0.1:139" - this is confusing because the window is too small for the text and because Putty adds the "L"; next, in the "Destination" window add "SambaServer.hp.com:139" (substitute your server name or IP address). Now click "Add". Do the exact same operation again, except replace port 139 with 445 (445 is required for Vista, but not required for XP).
Now return to the Session screen, select "loopbacksmb139_445, and click Save. For subsequent connections, simply select loopbacksmb139_445 and click Load, then Open.
Now click "Open". The client Putty session must have an open connection to the server for the tunnel to be active.
The Putty session login screen will pop up. Log onto the HP-UX server as your CIFS/Samba username. In this case, the username is "buffy", and is an Active Directory user with POSIX attributes (as
configured in the Unified Login whitepaper).
CIFS/Samba Share Access
The SSH tunnel will be established from the client Loopback Adapter to the HP CIFS Server, and a share can be opened to the server. Click the Vista icon on the Desktop lower left-hand corner and choose “run” or the "Start Search" window. Enter the IP address of the Loopback Adapter as a UNC name.
Click “OK”. The subsequent Explorer window will display the exported services from the HP CIFS Server. The client will only have access to those services for which the user has HP-UX permissions, either via ugo or ACLs.
Connection Details
The Vista client has an open connection over the Putty SSH tunnel to the HP CIFS Server through the Secure Shell daemon. Below is the output from an HP CIFS Server smbstatus command that shows the smbd process for the open connection. Note that the process shows an open service for multiple server shares - the server port entry allows for the single mount of all available services, although individual permissions would prohibit or allow access to actual server directories.
Observe this Wireshark trace of a Vista client read of a CIFS Server file called "Sunnydale". The text of the file is the string "Sunnydale", although the text could also be confidential credit card data, health care patient records, or sensitive company financial reports. The standard Windows SMB session transmits data in the clear over an SMB connection to the server, so this data could be visible in a multitude of common client-server connection scenarios, including this example.
Observe the same file access over an SSH connection as described above. The data is encrypted and unintelligible when sniffed from the network. Sensitive data is protected using the tunneling configuration as described above.
Summary
The tunneling procedure above provides an encrypted connection over the SMB protocol from a Windows Vista or XP client to an HP CIFS Server. Although the procedure tasks are explained in detail, this process is not quick or easy for the average enterprise user. However, the value of a secure SMB session for critical users in specific connectivity scenarios makes the complexity worthwhile.
This paper will be updated with the topics:
Client-Server SMB data encryption with IPSec HP CIFS Client and Server SMB data encryption
© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.