encrypted file sharing bsd<-->winxp/2k3 [SOLVED]
No at SPAM at mgEDV.net
nospam at mgedv.net
Thu May 4 10:28:33 UTC 2006
[original post from 10/2005... better late than never!]
we have been searching for a proper solution to encrypt
filesharing data between a windows client and a freebsd
fileserver (because freebsd provides a good solution for
disk encryption --> GELI). we wanted to use them as simple
network drives (because somtimes software needs that).
vpn and hardware solutions (like encrypting NIC's) have
been ruled out because of the investment or the effort
and interoperability of these solutions. webdav, ftp,
etc... have been ruled out because of the amount of
services/configuration you need on the server and because
of the behaviour in windows (it's never acting as a real
network mapped filesharing folder).
our choices (after some test/research) are: SMB over SSL.
the solution is as simple as it should be with small
networks that still have an requirement to encrypt data:
on the fileserver you install samba, and let it bind only
to the loopback adapter (eg. 127.0.0.1:10139).
next you install stunnel on the server and let it tunnel
the real ip's port 139 (eg. 192.168.10.1:139) back to
on the client you have to install the microsoft loopback
network adapter and give it a real and static ip address,
that is NOT in your network (and hopefully will never be.
in our example 10.232.232.232).
for testing. remove all bindings except tcp/ip to this
adapter (like ms filesharing).
now install stunnel on your client, configure it like to
map as a client from the loopback adapter's (10.232.232.232:139)
to the fileservers ip/port (192.168.10.1:139).
define automatic startup for stunnel and samba on your
server and start the services. on your client you also
install the stunnel service to run on system startup.
finally, you have to map a network drive:
just use "net use X: \\10.232.232.232\<your_samba_share_name>"
and if everything went fine, you have a new drive X: like it
would have been shared by a windows box.
this configuration works perfectly for us! the only requirement
is that you know how stunnel and samba work (at least from the
administrator's view) and that you know your network.
we didn't use hostnames in this example only for readability.
if you want hostnames, don't forget to setup a proper hosts/dns.
oh yes, using port 445 was NOT working because as soon as ms
starts, it binds itself to 0.0.0.0:445 and therefore you can't
bind anything else to this port. (we didn't find a way to tell
ms to only bind port 445 to specific addresses, if someone knows
how, let us know!)
More information about the freebsd-questions