Web lists-archives.com

Re: [Samba] how safe is "net use" in a batch file? plus some encryption questions




On Sat, 11 Nov 2017 11:02:31 +0100
"Stefan G. Weichinger via samba" <samba@xxxxxxxxxxxxxxx> wrote:

> 
> A customer asked me if someone would be able to sniff (wireshark or 
> something like that) a password if plugging into the same switch as 
> their samba server.
> 
> They use a desktop icon pointing at a plain old bat-file containing a 
> "net use" command with the password right in there.
> 
> I *assume* that the "net use" authenticates via encrypted
> communication? could someone confirm that?

As far as I am aware, 'net use' sends the password unencrypted, so if
someone is trying to 'sniff' the password, they will get it, but then
if the password is stored in the bat file unencrypted and anybody can
read the bat file, they wont need to 'sniff' the password.

> 
> -
> 
> Unfortunately we can't use domain context there because of the
> special structure there: the thin clients are members in a AD domain
> separate from our protected standalone samba server (and these worlds
> have to be kept separated).
> 
> *and* I have to keep NTLMv1 etc activated to support old Windows XP
> VMs ... as far as I remember there are ways to activate safer
> protocols for XP as well, correct? (they insist on XP because of a
> specific software ...)

You can make XP use NTLMv2, see here:

https://www.imss.caltech.edu/node/396

I don't know who your customer is, but they really should find a more
up to date way of doing things.

> 
> -
> 
> They also ask for encryption. I think I could encrypt the underlying 
> layer via encfs or something, but that means that somebody has to 
> provide a passphrase at boot/mount-time. I want to avoid a 
> single-person-of-failure-scenario here: even if I am not available
> they have to be able to get that server up and running again in case
> of some reboot or so.
> 
> Is it recommended to just place a container like Truecrypt or
> Veracrypt inside a Samba-share? Any thoughts or recommendations here,
> best practices ... ? 

Cannot help you with encryption, I don't use it. However I feel that I
should point out that the rest of the system seems to be so insecure,
that if a badhat does get in, they will problem get the encryption keys
as well.

Rowland




-- 
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba