Securing Windows File Sharing With SSH
En bitvise se puede encontrar una solución profesional a un problema bastante interesante. Compartir en equipos windows carpetas de servidores ssh remotos (o locales) a través del protocolo ssh. Esta técnica, llamada tuneling, sirve además para redireccionar otros servicios (mysql) a otras máquinas remotas pero centrándonos en que la conexión sea seguro. A continuación transcrivo los pasos a seguir. El artículo original lo podeis encontrar en la página de bitvise.
Tunneling Windows file shares is useful if you want to comfortably access files on a Windows machine that is only accessible via SSH, and you don’t want to use SFTP or SCP.
To tunnel Windows file shares over an SSH connection, you need to forward connections on port 139 on the sharing-consumer machine via SSH to the sharing-provider machine. The exact setup differs depending on the version of Windows on the sharing-consumer machine:
- Windows 2000: configure the SSH client to listen on interface 127.0.0.2 and connect to ‘127.0.0.2sharename’. This is all that is necessary.
- Windows XP: same as for Windows 2000, but before using the forwarded share, the local (client’s) Windows file sharing server needs to be stopped via ‘net stop server’. To disable it permanently, run ‘sc config lanmanserver start= disabled’. To re-enable it at a later time, run ‘sc config lanmanserver start= auto’. Note the space between ‘start= ‘ and the following parameter – sc will fail without it.
If you want to avoid disabling the file sharing server on the client machine because you want to retain remote access to the client machine’s shared resources, there is another alternative. You can install the Microsoft Loopback Adapter according to instructions relevant to your version of Windows:
- The Loopback Adapter and file share tunneling: Windows XP and 2003
- The Loopback Adapter and file share tunneling: Windows 2000
- The Loopback Adapter and file share tunneling: Windows NT4
If using the Microsoft Loopback Adapter, remember to setup your SSH client appropriately: use the Loopback Adapter’s IP instead of 127.0.0.1 or 127.0.0.2. If you assigned the Loopback Adapter the IP address 10.10.10.10, configure a client-to-server port forwarding rule to listen on 10.10.10.10, port 139; then you can connect to ‘10.10.10.10sharename’.
If the instructions on this page fail for you, try some of the file share tunneling tips contributed by our users.
Note that, in all cases, you will not be able to browse to the sharing-provider machine via point-and-click – the network path needs to be typed in manually.
Step-by-step instructions
Follow these steps if you wish to get quickly up and started with Windows file sharing over SSH. It is advised that you try to understand what is being done by each one of the steps presented. The difference between understanding and not understanding is frequently the difference between a security measure which works and one that only appears to.
On the server machine (Windows): (the file-sharing provider)
- Install WinSSHD on the server (the machine that has the resources you wish to access with Windows file sharing).
- No changes to the default WinSSHD configuration are required to use Windows file sharing over SSH. You may wish to make changes to the default WinSSHD configuration later on, to restrict what WinSSHD features are accessible to remote users. However, for the time being, keep your WinSSHD settings at default until your file sharing over SSH is up and running.
- Apart from installing WinSSHD, the only thing you need to do on the server is ensure that there is a Windows account which you can use to log on locally, and which you are comfortable using through Tunnelier and WinSSHD. If such an account does not yet exist, create one and use it to log on for the first time through the local Windows console to make sure all settings for the new account are initialized.
- Start the WinSSHD service from the WinSSHD Control Panel.
On the server machine (Linux): (the file-sharing provider)
- Install openssh on the server (the machine that has the resources you wish to access with Windows file sharing).
- No changes to the default ssh.
- Configure via SAMBA, the shares.
On the client machine:
- If the client is running Windows XP or 2003 and you wish to retain the ability to share the client’s resources, install and configure the Microsoft Loopback Adapter.
- Install Tunnelier on the client (the machine from which you wish to be accessing the server machine’s shared resources).
- Configure the following settings on the Login tab in Tunnelier. Click also the ‘Help’ link on the Login tab for help with any of these settings.
- Host: The IP address or DNS name of the server that you are accessing.
- Port: You will normally use the default value, 22. This must match the port that WinSSHD is listening on. If you have made no changes to the default WinSSHD configuration to change the port it is listening on, use 22.
- Username: The Windows account name with which to log into the server. This must be a valid Windows account name with local logon permissions on the side of the server.
- Password: The password with which to log into the server, belonging to the account name specified by Username.
- Store encrypted password in profile: You may optionally wish to enable this setting so that you will not be asked to reenter the password each time when logging in after Tunnelier has been restarted.
- In the C2S Forwarding tab in Tunnelier, add a new entry and configure the following settings for this entry. Click also the ‘Help’ link on the C2S Forwarding tab for help with any of these settings.
- Status: This will be ‘enabled’ by default, leave it that way.
- Listen interface: The default value is 127.0.0.1. If the client machine is running Windows XP, leave this as it is; you will need to uninstall file and printer sharing on the client machine anyway. If the client machine is running Windows 2000, change this to 127.0.0.2 so that you will not need to uninstall file and printer sharing.
- List. Port: 139.
- Destination Host: set this to the interface on which the file sharing server is listening for SMB connections. Setting this to ‘localhost’ or 127.0.0.1 will not work because the file sharing server is usually listening on a specific interface rather than all interfaces, so it will not be possible to go through the loopback connection. To determine the interface where the file sharing server is listening, execute ‘netstat -an’ on the server and examine the output for a line like ‘xxxxxx:139 … LISTENING’. The xxxxxx is the IP address that you need to enter in this field. Normally this will be the IP address associated with the server’s main ethernet adapter.
- Dest. Port: 139.
- Click the Login button in Tunnelier and observe the log area for any errors. If the session is established without errors, the SSH setup is running.
- If you are running Windows XP, you will now need to uninstall (not just disable, but completely uninstall) file and printer sharing on the client machine. This can be done through Network Connections : (each connection) : Properties – select ‘File and Printer Sharing’ in the list box and press the Uninstall button. This needs to be done for each active network connection on the client machine.
- If you are using earlier versions of Windows (this is confirmed for Windows 2000 but is likely to apply to the 9x/Me series as well), you will not need to uninstall file and printer sharing if you specified 127.0.0.2 as the Tunnelier C2S rule listening interface (above).
- Once the above steps have been completed, you will be able to connect securely to the shared resources on the server machine using syntax such as 127.0.0.1sharename or 127.0.0.2sharename, respectively. This will work as long as the Tunnelier SSH connection remains established.
- You can make sure that your file sharing connections are going through Tunnelier by checking the Tunnelier log area for a message saying ‘Accepted client-to-server connection from … to …:139’ corresponding to each connection attempt you make. Likewise, when your file sharing connection closes, Tunnelier should output a log message stating ‘Closing client-to-server forwarding channel from … to …:139’.