freebsd-security Digest, Vol 634, Issue 3

WhiteWinterWolf (Simon) freebsd.lists at whitewinterwolf.com
Thu Oct 19 13:37:42 UTC 2017 

Hi Walter,

Le 18/10/2017 à 22:52, Walter Parker a écrit :
 > SMB has supported authentication signing for a long time (more than a
 > decade). That can be used for basic security.
 > SMB3 supports encryption. To work with SMB3 encryption you will need
 > at least Windows 8.
 > The Samba project supports SMB3 and many of the security features in
 > it, but not share level encryption. Password authentication works with
 > signing and encryption. Until Samba supports the new share encryption
 > in SMB3, you will need to use something like stunnel (or an encrypted
 > VPN) to enable the privacy features that come with encryption.
 >
 > What that means is that the newest versions of Samba can talk to newer
 > Windows boxes with the authentication pieces (the username/password
 > exchange) done with encryption to make exploitation much harder.

I agree with you. However, puts it in the context: the current thread is 
a malicious user acting as man-in-the-middle between a user and a server 
storing potentially sensitive files (as I said in my previous answers, 
for non-sensitive files such as media files a read-only SMB/NFS/whatever 
is perfectly fine). The threat here is not someone attempting to login 
to the file server.

In this case, end-to-end encryption seems required to me (I don't want 
the content of personal or business-related documents to fall in wrong 
hands). As a side note, it may worth to highlight that Samba actually 
offered SMB encryption *before* Microsoft, but Microsoft preferred to 
create its own solution that Samba must now copy. All details can be 
found in my answer to Benjamin in the the same thread.

In this case, for a low-tech people, I would tend to suggest using SFTP 
(a password-based access is enough) instead of a stunneled SMB share as 
I personally find it is easier to setup and more efficient.


 > Encryption on NFS appears to be by using stunnel or SSH to encrypt the
 > data (or using a VPN).

Regarding NFS, Benjamin and Gary rightly highlighted that NFSv4 supports 
end-to-end authentication and encryption and is suitable for use over 
untrusted networks. However, I don't know if end-users' (and in 
particular Ronald's) NAS offers any easy-to-use NFSv4 feature. If this 
is the case, this is indeed a very interesting choice based purely on 
open standards, but I fear that there is no such feature which leaves us 
again with SFTP.

Regards,
Simon.

-- 
WhiteWinterWolf
https://www.whitewinterwolf.com

More information about the freebsd-security mailing list