I'd like comments (suggestions, improvements, messages that start with "you moron you forgot that. . .") on the following horrible dirty kludge to make a (nearly, with any luck) un-hackable set of shares available to specific users on the internet. On the Server, initially all packets bound for port 139 are rejected as the default policy. The server is connected to the internet full time on a static IP. I (Joe User) am kicking around somewhere in the big wide world with a PC and an internet connection of some kind (we assume I have a "real" ip address, but no telling in advance what it may be). I also have access to a 3'rd party POP account. I use a script on my PC to automatically write a message like: "The time is now 08:58:21 GMT and I'd like access as user joeuser from 123.123.123.123" The script then calls PGP to sign the message with my private key (prompting me for the passphrase, none of this stored passphrase mumbo-jumbo) and when that operations terminates successfully it encrypts the message with my server's private key and mails the message through my POP account to an account like "samba_auth@server.somedomain" on the server. The server receives and decrypts the e-mail, validates the signature, and if everything checks out compares the time given in the message to the current system time. If the message is less than 20 mins old (somebody else may have Joe's current IP later on, but we must allow for inaccurate clocks and processing time) the server does something like: ipfwadm -I -a accept -D $SERVER_IP 139 -V $SERVER_IP -P tcp -S $IP_FROM_EMAIL and possibly alerts Joe User in some fashion to tell me that my request has been processed. Joe User then successfully sync's his clock with the server, maps his home directory to drive X: and plays with his favorite M$ program until it crashes. A few minutes after connecting then he's finished, and he disconnects. The configuration for the joeshome share in smb.conf contains the line: root postexec ipfwadm -I -d accept -D $SERVER_IP 139 -V $SERVER_IP -P tcp -S %I One thing I am unsure about is the ability of this system to withstand an attempt by Joe User's remote ISP to gain access to Joe's account while he is online. If you can answer the following questions I'd love to hear from you: 1. If the ISP suddenly re-assigned Joe's IP address to one of their own machines, would the postexec command be called and cut them off before they could access Joe's files? Or would it have to wait until deadtime (or some other timeout) killed Joe's inactive connection? 2. Is it possible that they (or somebody in between) could establish a connection without breaking Joe's connection? 3. Can you think of any way to fake an access request message without physical access to Joe's PC and his passphrase? 4. Can you think of a practical way to better automate the connection process so that when the server has created the accept rule for Joe's IP it will also do something to cause Joe's PC to realise that the process is complete and it can now connect? 5. Does this system have blatantly obvious weak points that I've totally missed? 6. Is there a simpler way to achieve the same basic effects (i.e. establishing secure one-time samba access from an arbitrary IP address)? 6. Is it reasonable to assume that (unless the machine is rebooted, which would clear the firewall rules anyway) the postexec line is certain to execute at some point? Or would it be a good safety precaution to run a cron job to remove all the rules that could have been created by this process on a regular basis? 7. What problems might I encounter vis-a-vie NetBIOS and DNS? (Yes, save the worst for last ;) I'd _guess_ that this would not be a problem, as "net view \\$SERVER_IP" seems to work just fine on M$ systems which are allowed to communicate with the server, and with any luck the server does not actually need to know the netbios name that the client thinks it has or be able to resolve that to an ip with dns. . . Right? Failing that assumption, can anyone think of a slick way to tell samba that $IP_FROM_EMAIL is JoesBox without restarting samba? (bringing up questions about when/how lmhosts is used. . .) -- Q: What's tiny and yellow and very, very, dangerous? A: A canary with the super-user password.
On Wed, Jan 13, 1999 at 11:53:34PM +1100, Chris Watt wrote:> 1. If the ISP suddenly re-assigned Joe's IP address to one of their own > machines, would the postexec command be called and cut them off before they > could access Joe's files? Or would it have to wait until deadtime (or some > other timeout) killed Joe's inactive connection?If they are smb-experts yes - otherwise not, I think> 2. Is it possible that they (or somebody in between) could establish a > connection without breaking Joe's connection?again, if they are smb-experts, someone could hijack the connection (has been done for telnet - so tcp-connections can be hijacked, udp ist even easier, I think)> 3. Can you think of any way to fake an access request message without > physical access to Joe's PC and his passphrase?Well.. If your scripts are safe, your script-interpreters are safe (no buffer overflows...), your os is safe then No. You can of course never be sure, but your approach seems quite safe.> 4. Can you think of a practical way to better automate the connection > process so that when the server has created the accept rule for Joe's IP it > will also do something to cause Joe's PC to realise that the process is > complete and it can now connect?winpop-message?> 5. Does this system have blatantly obvious weak points that I've totally > missed?Apart from hijacking, ist (quite) easy to record every byte that joe transfers, sice smb ist not encrypted> 6. Is there a simpler way to achieve the same basic effects (i.e. > establishing secure one-time samba access from an arbitrary IP address)?I have no> > 6. Is it reasonable to assume that (unless the machine is rebooted, which > would clear the firewall rules anyway) the postexec line is certain to > execute at some point? Or would it be a good safety precaution to run a > cron job to remove all the rules that could have been created by this > process on a regular basis?Would be a good idean - I case, samba crahsed, or whatever - better paranoid then hacken :-)> 7. What problems might I encounter vis-a-vie NetBIOS and DNS? (Yes, save > the worst for last ;) I'd _guess_ that this would not be a problem, as "net > view \\$SERVER_IP" seems to work just fine on M$ systems which are allowed > to communicate with the server, and with any luck the server does not > actually need to know the netbios name that the client thinks it has or be > able to resolve that to an ip with dns. . . Right? > Failing that assumption, can anyone think of a slick way to tell samba that > $IP_FROM_EMAIL is JoesBox without restarting samba? (bringing up questions > about when/how lmhosts is used. . .)If joes?s pc runs linux (or if he has a linux-router for his modem), You could make a virtual connection over the internet. An example ist to use ssh (encrypted telnet, or betther encrypted rsh) let ppp run "over" ssh. This gives you an encrypted, virutal connection. If you do it right, joe?s pc at home looks like a host behing a route for the pc?s in the office. Maybe this also solves 7) ??? Greetings, FLorian Pflug