How Tunnelling SMB Works

Next: Connecting to the Tunnelled Up: Remote Access to Computer Previous: SMB Networking   Contents

Subsections

• Configuring Plain Passwords from Windows
• Turning off Local Windows Sharing
• Secure Shell Applications
• Setting up the Tunnel

---

How Tunnelling SMB Works

Set up the SSH tunnel from your workstation to lapis such that:

 

• the tunnel's entrance listens for SMB connections on your own workstation;
• the tunnel encrypts the SMB traffic and sends it to the School's Linux server lapis;
• the tunnel's exit decrypts the traffic and connects to the SAMBA server on lapis.

You can now connect your SMB client to the opening of the tunnel on your local host. The tunnel will then connect you transparently to the SAMBA server daemon on the remote host, lapis.

 

Configuring Plain Passwords from Windows

There are two complications if you want to access a SAMBA file sharing server from a Windows PC workstation. Windows encrypts the SMB passwords it sends over the network, and Windows file servers can authenticate such a password against a Windows password database. But Linux-based SAMBA servers cannot compare encrypted Windows passwords with the differently encrypted Linux passwords they use.

It is necessary to configure your Windows PC to send unencrypted passwords to non-Windows SAMBA servers. (Your password will nonetheless be protected on the network by the the SSH tunnel).

 

NOTE

This feature is not available on Windows XP Home Edition and maybe Vista will have the same restriction. In that case, you cannot use SMB connections. For other options, look at Introductory Note 811 for connection via SFTP, or Introductory Note 815 for connection via WebDAV or Webfolders.

In Windows XP (other than Home Edition), as an Administrator, open the Windows Control panel and double click on Administrative Tools.

Now double click on Local Security Policy.

Open the Local Policies, Security Options from the left panel menu. Look for Microsoft network client: Send unencrypted password to third-party SMB servers. Right click on it and select Properties.

In the Local Security Setting panel set Microsoft network client: Send unencrypted password to third-party SMB servers to enabled. Click the OK button to save the setting.

Close the Windows and reboot the PC.

 

Turning off Local Windows Sharing

Secondly, Windows is often configured with SMB sharing turned on locally. We want to use the local SMB port as the entrance to our SSH tunnel. So we must first turn off the default Windows server sharing.

As an Administrator, open the Administrative Tool application again from the Windows Control panel as above. Then double click on Services.

Find the service called Server and right click to opens its properties panel.

Set the Startup type to Disabled. Click the OK button to save the setting.

Close the Windows and reboot the PC.

 

Secure Shell Applications

In order to set up the tunnel, you will need to use a secure shell application. Linux workstations will already have the ssh command installed. For Windows, you can obtain SSH.com's SSH Secure Shell Client or the PuTty application.

An installation .exe of SSH Secure Shell Client is available for members of the School from http://docs.cs.cf.ac.uk/SSH/.

PuTty is available from http://www.chiark.greenend.org.uk/~sgtatham/putty/.

The Windows secure shell Graphical User Interfaces can by used to set up the tunnel. A simpler alternative is to us the ssh2 command from SSH.com, or the plink command form PuTty.

 

Setting up the Tunnel

On Linux, set up a tunnel to the SAMBA server on lapis with:

 

ssh -N -f -L 139:localhost:139 scmxxx@lapis.cs.cf.ac.uk

The command will prompt for your University password and will detach from the terminal and run in the background.

You will need superuser (root), admin or sudo privileges on your worksation to set up the tunnel.

Ssh listens on the SMB port (139) on the local workstation, sends traffic via secure shell protocols to the remote server, lapis. and passes it on to lapis's SMB port.

On Windows, open a Command (cmd) Window, and use the SSH.com command ssh2:

 

cd "C:/Program Files/SSH Communications Security /SSH Secure Shell" ssh2 -S -L 139:localhost:139 scmxxx@lapis.cs.cf.ac.uk

Or you can use the PuTty plink command:

 

cd "C:/Program Files/PuTTY" plink -N -L 139:localhost:139 scmxxx@lapis.cs.cf.ac.uk

You may need to use the IP address 127.0.0.1 instead of localhost.

Do not terminate the cmd window until you have finished using the tunnel.

 

---

 

 

 

http://docs.cs.cf.ac.uk/html/813/node3.html