[ Sorry, sent to the wrong alias, resending to psarc-ext. I'll forward
the discussion so far. Please watch for replying to the original
message and change it to psarc-ext. ]
I am sponsoring the following for fast track approval. The timer
expires 8 December 2008.
---
This information is Copyright 2008 Sun Microsystems
CIFS Client Message Signing
Author: Gordon Ross
26 November, 2008
1. Technical Description
Add "signing" support to the Solaris CIFS Client
2. Details
2.1 Background and motivation
The Solaris CIFS Client [PSARC 2005/695] provides the ability to
mount CIFS shares from Windows-compatible servers on Solaris.
In this context, "SMB signing" refers to a message integrity
system designed by Microsoft, further described here:
Overview of Server Message Block signing
http://support.microsoft.com/kb/887429
The use of SMB signing is negotiated between the client and
server during connection initiation. Policy settings on both
client and server influence the outcome of this negotiation.
Either the client or server may require signing, but normally
the signing policy is controlled from the server side because
that method has the convenience of centralized administration.
This case adds support for a new option named "signing" to
the existing client-side options stored in SMF. The new
"signing" option allows a system administrator to control
the client-side policy for negotiation of SMB signing,
in a way similar to that provided on Windows systems.
Details of the new option are described in the the nsmbrc(4)
manual page, which will be updated with this case.
3. Interface table
3.1 Exported Interfaces
"signing" option Committed See nsmbrc(4)
3.2 Imported Interfaces
(no change)
4. Documentation
The nsmbrc(4) man page will be updated by CR 6720803.
Here is a summary of the nsmbrc(4) changes:
New parameter: signing
Allowed in SMF only. (sharectl)
Allowed in sections: default, $SERVER
Allowed values: disabled, enabled, required
Default value: disabled [Note 1]
Example output of "sharectl get smbfs":
[default]
signing=required
The definitions of the values are:
disabled: Client does not use SMB signing unless the
server requires signing. [Note 1]
(This is the default value.)
enabled: Client will use SMB signing if possible.
required: Client requires SMB signing. Note:
If a server has signing set to "disabled", then
connections with this configuration will fail.
These values are further explained here:
Overview of Server Message Block signing
http://support.microsoft.com/kb/887429
Support for SMB signing is required for interoperability with
recent Windows servers. While SMB signing was originally
intended to defend against man-in-the-middle (MITM) attacks,
it is not recommended as a sole defense against such attacks
because the message integrity system it uses is not considered
cryptographically strong. See this page for details:
[MS-SMB] Sec. 5.1 Security Considerations for Implementers
http://msdn.microsoft.com/en-us/library/cc212610.aspx
Better defense against MITM attack as well as "eavesdropping"
is available with ipsec(7p) or Virtual Private Network (VPN)
technologies.
Note 1:
Note that if the server requires signing, the Solaris
CIFS client uses signing regardless of local settings.
This is the same as with current Windows clients, per
Microsoft Knowledge Base article 916846. See:
http://support.microsoft.com/?kbid=916846
5. References
Overview of Server Message Block signing
http://support.microsoft.com/kb/887429
[MS-SMB] Sec. 3.2.4.2.3 User Authentication (signing)
http://msdn.microsoft.com/en-us/library/cc212511.aspx
[MS-SMB] Sec. 5.1 Security Considerations for Implementers
http://msdn.microsoft.com/en-us/library/cc212610.aspx
[MS-SMB] Appendix A: Windows Behavior (item 172)
http://msdn.microsoft.com/en-us/library/cc212929.aspx#wb172
[MS-NLMP] NT LAN Manager (NTLM) Authentication Protocol
http://msdn.microsoft.com/en-us/library/cc207842.aspx
Microsoft Knowledge Base article 916846:
http://support.microsoft.com/?kbid=916846
