From owner-freebsd-questions@FreeBSD.ORG Tue Sep 13 22:40:57 2005 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0533F16A41F for ; Tue, 13 Sep 2005 22:40:57 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from smtpout.mac.com (smtpout.mac.com [17.250.248.46]) by mx1.FreeBSD.org (Postfix) with ESMTP id A0E4B43D76 for ; Tue, 13 Sep 2005 22:40:53 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from mac.com (smtpin02-en2 [10.13.10.147]) by smtpout.mac.com (Xserve/8.12.11/smtpout10/MantshX 4.0) with ESMTP id j8DMepYr026152; Tue, 13 Sep 2005 15:40:51 -0700 (PDT) Received: from [10.1.1.209] (nfw2.codefab.com [199.103.21.225] (may be forged)) (authenticated bits=0) by mac.com (Xserve/smtpin02/MantshX 4.0) with ESMTP id j8DMenLP026481; Tue, 13 Sep 2005 15:40:50 -0700 (PDT) In-Reply-To: <200509132215.j8DMFDNV020344@amail1.space2u.com> References: <200509132215.j8DMFDNV020344@amail1.space2u.com> Mime-Version: 1.0 (Apple Message framework v734) Content-Type: text/plain; charset=US-ASCII; delsp=yes; format=flowed Message-Id: Content-Transfer-Encoding: 7bit From: Charles Swiger Date: Tue, 13 Sep 2005 18:40:39 -0400 To: Joachim Dagerot X-Mailer: Apple Mail (2.734) Cc: freebsd-questions@freebsd.org Subject: Re: Securing samba? X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 13 Sep 2005 22:40:57 -0000 On Sep 13, 2005, at 6:15 PM, Joachim Dagerot wrote: > However, due to some windows clients in the network we are forced > to run samba. Are there any known security problems with that? Windows networking does not have a great track record in terms of security, and Samba has had about a dozen security bugs over the past four years: http://us1.samba.org/samba/history/security.html This record is pretty decent considering the range of protocols they are dealing with, don't get me wrong, but I would not rely on the version of Samba available today being completely secure, either. > Is there a way to tunnel the file traffic over SSH without any > trouble for the users? Not short of setting up a full VPN, no. > (It's ok to install keys etc on their machine, but they must only > be forced to login with the windows password). > > I guess my question are two: > > 1. Is samba safe enough to run on the LAN side of a machine that > are available from the internet only on port 22 and only for users > with a RSA key? Samba is fine if restricted to a LAN with a firewall blocking the Windows ports like 135-139 TCP and UDP, 445, etc. > 2. Is there a better file sharing system that works good for the > windows users than samba? Not really. You can set up PCNFS on the Windows boxes, but that doesn't work as well as Samba does... -- -Chuck