smbmount vs. smbclient

[gboyce at badbelly.com (gboyce)]

On Tue, 13 Mar 2007, Kristian Hermansen wrote:

> On 3/13/07, jbk <jbk at mail2.gis.net> wrote:
>> No, I don't trust all the users on my network. I trust that
>> teenagers will seek out all corners of the data base if
>> something sparks their interest. I can't predict what that
>> is and I do have sensitive personal data on the server.
>
> I don't mean to sound brash....But!!!
>
> Sensitive personal data on the SMB server?  You are aware that SMB
> sniffers can pick up that data and reconstruct it as soon as you
> transfer it right?  No authentication is needed.  Additionally,
> cracking SMB is not hard.  So maybe you will keep out the 12 year
> olds, but those teens will have it cracked in no time!

On most NFS systems files and directories are secured through a 
combination of IP restrictions and UID restrictions based on the unix 
permission model.

The IP restrictions are placed by the server itself.  Accessing a volume 
that you are not on the IP list is difficult.

The UID restrictions are honored (or not) by the client system.  If your 
files are owned by UID 100 which should be mapped to your user, I can read 
your files by creating a new user with uid 100 on my system.

(Note that newer NFS systems can use kerberos for user authentication, but 
these systems are rare at this point).

On SMB file shares access to the files are restricted to an authenticated 
user.  Yes, you can break the encryption placed on the file transfers, but 
that will only work if you have the ability to listen to all network 
traffic which is difficult on a switched network.

On a network in which you cannot trust the users and systems this means 
that a skilled attacker can potentially read files transfered by SMB while 
a less skilled attacker can pull ALL files from your NFS file server.

--
Greg

-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.