• No results found

HP CIFS Server and Encrypting Client Connections

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "HP CIFS Server and Encrypting Client Connections"

Copied!
25
0
0

Loading.... (view fulltext now)

Download now ( 25 Page )

Full text

(1)

1

Version 1.0 April 2009

VSSN Advanced Technology Center

©Copyright 2009 Hewlett-Packard Company

HP CIFS Server

and

(2)

2

Legal Notices

The information in this document is subject to change without notice.

Hewlett-Packard makes no warranty of any kind with regard to this manual, including, but not limited to, the implied warranties of merchantability and fitness for a particular purpose. Hewlett-Packard shall not be held liable for errors contained herein or direct, indirect, special, incidental or consequential damages in connection with the furnishing, performance, or use of this material.

Warranty. A copy of the specific warranty terms applicable to your Hewlett-Packard product and replacement

parts can be obtained from your local Sales and Service Office.

Restricted Rights Legend. Use, duplication or disclosure by the U.S. Government is subject to restrictions as

set forth in subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013 for DOD agencies, and subparagraphs (c) (1) and (c) (2) of the Commercial Computer Software Restricted Rights clause at FAR 52.227-19 for other agencies.

Hewlett-Packard Company 19420 Homestead Road

Cupertino, California 95014 U.S.A.

Use of this manual and flexible disk(s) or tape cartridge(s) supplied for this pack is restricted to this product only. Additional copies of the programs may be made for security and back-up purposes only. Resale of the programs in their present form or with alterations, is expressly prohibited.

Copyright Notices

©copyright 1983-2009 Hewlett-Packard Company, all rights reserved.

Reproduction, adaptation, or translation of this document without prior written permission is prohibited, except as allowed under the copyright laws.

©copyright 1979, 1980, 1983, 1985-96, 2000 Regents of the University of California. This software is based in part on the Fourth Berkeley Software Distribution under license from the regents of the University of California. ©copyright 1986-2009 Microsoft, Inc.

(3)

3

Table of Contents

Legal Notices ... 2 Table of Contents... 3 Introduction... 4 Overview... 5

HP CIFS Server Configuration ... 6

Secure Shell ... 6

Configuration... 6

Windows Client Configuration ... 8

Windows Loopback Adapter... 8

Loopback Adapter Properties... 12

Non-Plug and Play Drivers... 14

Client Proxy Server Configuration ... 16

Putty SSH Client Configuration... 17

CIFS/Samba Share Access ... 20

Connection Details... 21

(4)

Introduction

HP CIFS Server with Windows or other Server Message Block (SMB) clients does not have

configurable encryption options for data being transmitted over-the-wire, and therefore SMB is not considered a secure protocol. The Windows 2008 and Vista enabled SMB2 does not add

encryption capability. For installations that require over-the-wire data encryption for SMB client-server connections, a custom deployment is required.

A custom deployment for SMB-connection data transmission can be accomplished using free-of-charge and commonly available components. However, the configuration is not persistent over connections or reboots and actually may temporarily disable some client functionality (like web browsing). In addition, the details are borderline confusing and may not be appropriate for the average enterprise user.

Use this paper as a task-driven example of how to configure an encrypted Vista client SMB connection to an HP CIFS Server share.

(5)

Overview

Configuring an encrypted SMB session is often referred to as "tunneling", and usually employs Secure Shell (SSH) on the client and server. The following deployment uses an SSH client (Putty) on Windows Vista, and HP-UX SSH on the HP CIFS Server. Kerberos authentication is used for the Windows domain user access.

HP CIFS Server (Samba) is highly configurable and flexible, and thus has many possible configuration scenarios. The following tunneling deployment is shown using Windows Active Directory as the authenticating domain, and the HP CIFS Server (and HP-UX) participating in the domain under Unified Login domain membership. Details on Kerberos authentication of HP CIFS Server and Unified Login can be retrieved from the following whitepapers:

http://www.docs.hp.com/en/14985/HPCIFSKerberosV105.pdf http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf

The following configuration components are used for this example of SMB SSH tunneling: HP-UX 11iv3

HP CIFS Server version A.02.04 (Samba 3.0.30)

HP CIFS Server version A.02.03.04 (Samba 3.0.22 plus various fixes up to 3.0.28a) HP CIFS Server Unified Login Configuration

Windows 2003R2 Active Directory Domain Windows Vista SP1

Putty version 0.60 Mozilla version 3.0.8

(6)

HP CIFS Server Configuration

The HP CIFS Server configuration used in this example is the same configuration from the “Integrate Logins with HP CIFS Server, HP-UX, and Windows 2003R2” whitepaper, located here:

http://www.docs.hp.com/en/15204/CIFSUnifiedLogin.pdf

CIFS Server is using Kerberos for authentication, and a Microsoft Windows 2003R2 KDC and domain controller.

Secure Shell

HP-UX Secure Shell supports several authentication methods. For this example SSH will be configured using Kerberos authentication because it integrates into the same existing Unified Login design that has been shown for CIFS and Secure Internet Services. While SSH uses the same secure

authentication protocol as used in CIFS authentication, it provides additional security by encrypting data transfers over the SSH tunnel. The tunneling feature of SSH has many configuration options, but the purpose of this example is to show how to integrate Windows-initiated server-side tunneling. Therefore, primarily default SSH options will be used.

HP-UX SSH is a separate product that must be installed on the tunneling server. In this example, a tunnel will be created between our HP-UX CIFS Server and Windows client.

HP-UX Secure Shell (SSH)

# swlist -l product | grep -i secure

Secure_Shell A.05.10.007 HP-UX Secure Shell

NOTE: Like the other HP-UX software products, SSH is available for free at www.software.hp.com. Configuration

SSH using Kerberos authentication is compatible with the default configuration file settings. The SSH configuration files are:

/opt/ssh/etc/ssh_config /opt/ssh/etc/sshd_config

Verify that the /opt/ssh/etc/sshd_config file has these settings: PasswordAuthentication yes

UsePAM yes

KerberosAuthentication yes

Now /etc/pam.conf must be modified to enable SSH. Add the following lines to the authentication section:

sshd auth required libpam_hpsec.so.1 sshd auth sufficient libpam_krb5.so.1

(7)

Add the following lines to the account section: sshd account required libpam_hpsec.so.1 sshd account sufficient libpam_krb5.so.1 sshd account required libpam_unix.so.1

Our existing CIFS Server Kerberos krb5.conf and krb5.keytab files (from the Unified Login

configuration) are compatible with SSH, so using our existing configuration, the systems are ready to execute an SSH tunnel using Kerberos authentication.

No other special CIFS or HP-UX configuration is required.

(8)

Windows Client Configuration

The SSH client for Windows is Putty, which is a free client application that provides SSH, Telnet, and a terminal emulator. Use Putty version 0.60, which can be downloaded from:

http://www.chiark.greenend.org.uk/~sgtatham/putty/

Putty will be used to configure the SSH tunnel from the Windows client to the HP CIFS Server.

Windows Loopback Adapter

The tunneling solution on the client requires the re-direction of port 139 (for Windows XP) and 139 plus 445 (for Windows Vista). To do this without disabling file sharing on the client requires the installation of a Network Loopback Adapter. Fortunately this is easy to do, and does not require additional downloads.

From the Windows Vista Control Panel, open the Device Manager, select the computer name, right click and choose “Add legacy hardware”.

(9)
(10)

Select “Install the hardware that I manually select from a list(Advanced)".

(11)

Choose Microsoft Loopback Adapter,

Now the Vista client has a Loopback Adapter installed, which is visible from the Vista Network and Sharing Center (see screenshot in the next section).

(12)

Loopback Adapter Properties

After the Loopback Adapter is added, the network properties must be configured. Open the Network and Sharing Center, then select the properties for the new local area network connection – this will likely be Local Area Connection 2.

(13)

Now enter a dummy IP address for the Loopback adapter – 10.0.0.1 is often used.

(14)

Non-Plug and Play Drivers

The next step is to go back to the Vista Device Manager and configure the “Non-Plug and Play TCP/IP Driver”. First, select "Show Hidden Devices" on the Device Manager.

(15)

Select "Message-Oriented TCP/IP and TCP/IPv6 (SMB Session)".

(16)

Client Proxy Server Configuration

Next we remove any client proxy server configuration. Using Mozilla or Explorer, go to the LAN connection settings screen (Mozilla is shown).

(17)

Putty SSH Client Configuration

Start your Putty client, and prepare to save your SSH client configuration so that it is easily available to re-configure. This saved configuration must be enabled for every instance of the SSH connection to a specific server. When the Putty connection is terminated, the SSH tunnel is lost and must be re-started when Putty is executed again, so saving the configuration for an easy re-load is the recommended practice.

Below, the saved SSH tunnel configuration is "loopbacksmb139_445". Select SSH as the connection type and the CIFS Server IP address or host name.

(18)

Next, select SSH and expand the Tunnels option. Observe the "Forwarded ports:" window in the graphic below. By default this window is blank. Enter the following data to achieve a correct configuration: in the "Source port" window, enter "10.0.0.1:139" - this is confusing because the window is too small for the text and because Putty adds the "L"; next, in the "Destination" window add "SambaServer.hp.com:139" (substitute your server name or IP address). Now click "Add". Do the exact same operation again, except replace port 139 with 445 (445 is required for Vista, but not required for XP).

Now return to the Session screen, select "loopbacksmb139_445, and click Save. For subsequent connections, simply select loopbacksmb139_445 and click Load, then Open.

(19)

Now click "Open". The client Putty session must have an open connection to the server for the tunnel to be active.

The Putty session login screen will pop up. Log onto the HP-UX server as your CIFS/Samba username. In this case, the username is "buffy", and is an Active Directory user with POSIX attributes (as

configured in the Unified Login whitepaper).

(20)

CIFS/Samba Share Access

The SSH tunnel will be established from the client Loopback Adapter to the HP CIFS Server, and a share can be opened to the server. Click the Vista icon on the Desktop lower left-hand corner and choose “run” or the "Start Search" window. Enter the IP address of the Loopback Adapter as a UNC name.

Click “OK”. The subsequent Explorer window will display the exported services from the HP CIFS Server. The client will only have access to those services for which the user has HP-UX permissions, either via ugo or ACLs.

(21)

Connection Details

The Vista client has an open connection over the Putty SSH tunnel to the HP CIFS Server through the Secure Shell daemon. Below is the output from an HP CIFS Server smbstatus command that shows the smbd process for the open connection. Note that the process shows an open service for multiple server shares - the server port entry allows for the single mount of all available services, although individual permissions would prohibit or allow access to actual server directories.

(22)

Observe this Wireshark trace of a Vista client read of a CIFS Server file called "Sunnydale". The text of the file is the string "Sunnydale", although the text could also be confidential credit card data, health care patient records, or sensitive company financial reports. The standard Windows SMB session transmits data in the clear over an SMB connection to the server, so this data could be visible in a multitude of common client-server connection scenarios, including this example.

(23)

Observe the same file access over an SSH connection as described above. The data is encrypted and unintelligible when sniffed from the network. Sensitive data is protected using the tunneling configuration as described above.

(24)

Summary

The tunneling procedure above provides an encrypted connection over the SMB protocol from a Windows Vista or XP client to an HP CIFS Server. Although the procedure tasks are explained in detail, this process is not quick or easy for the average enterprise user. However, the value of a secure SMB session for critical users in specific connectivity scenarios makes the complexity worthwhile.

This paper will be updated with the topics:

 Client-Server SMB data encryption with IPSec  HP CIFS Client and Server SMB data encryption

(25)

© 2009 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

References

Download now ( PDF - 25 Page - 1.11 MB )

Related documents

X.509v3 Certificates for SSH Authentication

The X.509v3 Certificates for SSH Authentication feature uses the X.509v3 digital certificates in server and user authentication at the secure shell (SSH) server side.. This

Introduction. With industry analysts citing DR failure rates of at least 60 percent, there s a good reason to be concerned.

For example, a production host is accessing network file systems (using CIFS or NFS) stored on a production file server or NAS device, while its DR peer also accesses the

Do We Really Need Both BEKK and DCC? A Tale of Two Multivariate GARCH Models

There are different models for different purposes, such as correlation models to create and evaluate a portfolio, and covariance models to forecast VaR on a daily basis for a

EMC VNX Series: Introduction to SMB 3.0 Support

In a client or CIFS server failure, the Continuous Availability (CA) feature allows Windows-based clients to persistently access CIFS shares without the loss of the session

Distributed Hierarchical Storage Management (DHSM)

Existing DHSM – Write Path NFS/CIFS Secondary Storage File Server(s). Centera

CIFS and NFS Auditing Guide

You should create a configuration that uses external FPolicy servers when you want to do such things as monitor and record file access events, provide quota services, perform

HP CIFS Server Administrator's Guide Version A HP-UX 11i v2 and HP-UX 11i v3

Chapter 3 Managing HP-UX File Access Permissions from Windows NT/XP Use this chapter to understand how to use Windows NT and XP clients to view and change UNIX file permissions

HEAD TO TOE PAMPERING SESSION

• First, unfold your disposable washcloth and put it on your lap. Then, use your finger tips to wet your face. Then, put the cleanser on your fingers. You will want to suds it up