Samba SSH Tunnel Howto

For Mandrake 2005LE and MS Windoze 98 and upwards
Last updated, July 2005
Herman Oosthuysen

General

Samba is a Linux version of a MS Windows Server. Many office systems use Linux or Macintosh systems in the back room, since it costs less and is more stable than the MS version. SSH is a secure remote access system commonly used to administer Linux systems.

VPN systems typically require you to have knowledge of the future and want you to specify all IP addresses of all users beforehand. Well, if you are travelling, you don't know what your IP address is going to be, so you need a system where only the server has a known address - SSH to the rescue.

SSH is unique in that it has powerful test and debug capabilities built right in - features that are usually sorely lacking in any regular VPN system. This guide describes various ways to tunnel Microsoft's SMB Networking over SSH, in order to create a simple and secure VPN, ideally suited to travellers.

I first tried this with PuTTY a few years ago and just could not get it to work at all and lost a whole lot of hair in the process. Recently, the PuTTY program was updated and now Samba tunnelling over SSH works like a charm.

This used to work between two Windows machines as well, but MS Windows XP SP2 has a nasty bug and while it allows port forwarding to be set up on the localhost interface, it won't allow external connections to localhost. MS has a patch for this problem, which doesn't work - duh. The workaround is to use the actual IP of the main interface. Keep reading - this is described down below. I have also found that the SSHWindows program works better than PuTTY, for this type of application.

The description in this howto, should allow you to connect to a Samba server, using almost any kind of Windows (or Linux!). The exact mechanics are a little different, depending on the version of Windows that you are using. The names of the files are the same, though they may be in different places on Drive C.

In general, on Windows 9x, the hosts and lmhosts files are in c:\windows, while in other kinds of Windows, they are in something like: c:\winnt\system32\drivers\etc.

Also see this guide: Samba Debug Howto.

Why SSH and not PPTP?

PPTP has some security issues, but it sure is convenient to use. So, if you think that convenience is more important than security, then go ahead and use PPTP with PoPToP. However, configuration of any kind of VPN is a chore, so you can just as well create one that is secure and the Secure Shell allows you to do other things too, not just tunnelling. All in all, ssh tunneling is a far more powerful solution than PPTP.

Configure Windows

Open the \windows\hosts file and add the line:

127.0.0.1 localhost

Open the \windows\lmhosts file and add the line:

127.0.0.1 sambaserver

For ease of logging into a Samba share, create a user account and password on the Windows machine exactly the same as the user account on the Samba server - then you don't have to type in the name and password again.

Note: You have to disable Windows File and Printer Sharing, since this service also uses port 139 and will get first dibs on this port at boot up. Disabling is not sufficient, you need to stop the server. To do that start cmd.exe / command.com and run "net stop server". That should work on all win versions >= 95. To get it back (after the samba ssh tunnel is closed) one can simply run "net start server" [Axel Nauman].

Download PuTTY

PuTTY is a special program used to repair Windows, to give it a Secure Shell...

You can download PuTTY from here:

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Note: There is a bug related to port forwarding Samba in the stable version.
Get the latest Development Snapshot zip file and unzip it in c:\putty.

Drag and drop a shortcut to putty.exe on the desktop. You'll wan't it to be handy later.

Create a RSA Keypair

Run puttygen.exe and generate a 4028 bit RSA keypair. Save both the private and public keys as rsa-winbox.pub and rsa-winbox.ppk. Also copy and paste the public key to a file called rsa-winbox.pub.txt.

Install the Public Key on the Samba Server

This is an awkward bootstrap problem that you have to get past. You have to generate a key on the Windows box and get it loaded on the server. You cannot use ssh from the Windows box to do that, since the key isn't installed yet...

Run ftp.exe and log into your Samba Server if you have ftp running on the server... Put the file rsa-winbox.pub.txt to the server.

Now, either go to the server - possibly with a friggen floppy disk with the key file, or run ssh from another machine and add rsa-winbox.pub.txt to the bottom of /home/joeuser/.ssh/authorized_keys.

There just isn't an easy way to do this...

Configure PuTTY

What we are doing here, is to create a tunnel from localhost port 139 on the Windows box to localhost port 139 on the Linux box. On both sides of the tunnel, localhost is 127.0.0.1, so don't get confused. The data is forwarded by ssh over port 22, through your firewall. So the only port that you need to have open for this to work, is port 22. See my firewall and ssh howto guides for details if you haven't got this going yet. Otherwise, nothing will work...

If the server is Windows XP SP2, don't use localhost, use the actual IP address of the server. To establish a tunnel from the command line of OpenSSH for Windows, or SSH on a Linux machine, type this:

c:\> ssh 11.22.33.44 -L 139:11.22.33.44:139

Run putty.exe, configure and save the default settings for ease of use.

Click Session and set the Host Name to your Samba Server IP address. If you have a dynamic IP, then this will change every once in a while. Mine stays the same for a few months at a time, so no great sweat.

Click Connection, SSH, Tunnels and set Port Forwarding to the following:

Tick Local Ports Accept Connections
Tick Remote Ports do the Same
Source: 139
Destination: localhost:139
Select the Local Radio Button

Click Session, set Save Session to Default Settings and click Save.

If you have trouble, try to change your Samba password to something that contains only Alphabetic characters. Special characters may cause problems.

Connect

To connect, simply click Open.

You should get a terminal with a login prompt and possibly some warning message about an unknown server - if it is the very first connection attempt. Click Accept or whatever will get you to continue. Now type your username and password to log into the Samba Server.

You should now have a Secure Shell on the distant server and you can use this shell for debugging. Type netstat -tn to display the connections. Then, on the local Windows box, run c:\windows\telnet localhost 139 - you should get a blank screen with no error messages. Then do netstat -tn on the server again. You will see that you now have a pair of connections through port 139. Close the telnet session and the port 139 connections will go away.

This shows that the tunnel works and that you can connect to the Samba Server on the other side of the wire.

Map a Network Drive

Now for the Holy Grail of tunneling - the purpose of this whole exercise was to get drive letter access to the Samba Server.

Lets assume that the Samba share that you want to connect to is called public. If you are not sure, have a looksee in file /etc/samba/smb.conf using the secure shell - less /etc/samba/smb.conf. On the Windows box, run the File Manager - My Computer - Windows Explorer - whatever the heck it is called today and type in the address box: \\sambaserver\public.

After a longish wait, you should see the files in the Samba share appear - Yahoo! You dunnit!!!

Now you can map a drive using tools, map network drive, select drive I: and enter \\sambaserver\public in the path specification. Clear the Reconnect at Login box, since it won't work until the tunnel is established.

Finally, go up one directory and make a shortcut on the desktop to the mapped drive I:.

Reconnecting

Whenever you want to reconnect, click the PuTTY shortcut and click Open, since the default settings are used, input your username and password, then click the drive icon and Ol'Bob's your Uncle...

So, once you have gone through the pain of configuration, using a ssh tunnel with Samba is as simple and convenient as any other VPN system.

Linux to Linux VPN using SSH and Samba

Similar to the above, you could also create a Linux to Linux VPN that will allow you to mount a distant Samba share on your local machine and browse and edit files transparently. This is much easier to set up than NFS and is the method I am using now, to edit and upload this file, so yes, it works!

First make a local mount point:

Open a terminal
$ cd ~
$ mkdir sambadir

Forward local port 139 to the Samba server local port 139:

$ su -
password
# ssh sambaserverIP -L 139:127.0.0.1:139

Leave this terminal open. If you close it, the SSH connection will close down. You can append an Ampersand to the end the above command to run ssh in the background, but leaving it in a terminal, makes it easier to experiment as you can see the connection error messages.

Open another terminal:

$ smbmount //netbiosname/share sambadir -o \
username=user%password,fmask=0777, \
dmask=0777,ip=127.0.0.1

All of that is one command, the backslashes break it up over multiple lines.

If you have trouble, try to change your Samba password to something that contains only Alphabetic characters, otherwise Bash quoting may be required.

Now list the mounted directory:

$ ls sambadir

You should get a listing of the distant share - Woohoo!!!

You can now use your graphical interface, eg. konqueror to list the distant share, but it may be sluggish, even with an ADSL connection, since the upload speed is much slower than the download speed. The limiting factor is the distant machine's upload speed.

You can use telnet to troubleshoot the connection. If you type:

$ telnet localhost 139

and cannot establish a connection to the samba server, then the port forwarding is not working. If you can connect and it still doesn't work, then the port forwarding is working and something else is wrong with your smbmount command syntax.

Konqueror

Nowadays, with the KDE desktop and Konqueror, there are even easier methods to connect from a Linux machine to a samba server. Open Konqueror and type "smb://host.domain.tld/pathname" - La Voila!.

If the other machine is not a samba server but has SSH daemon running, use "fish://host.domain.tld/pathname". The same thing works with FTP as well.

You can split the screen into two windows and drag and drop from a fish connection to one machine to a ftp connection on another, or double click a file to open it.

It is just getting easier all the time...

OpenSSH for Windows

You can get OpenSSH for Windows from www.sourceforge.net. This program is more powerful than Putty, and provides both a SSH daemon and a SSH client. It is SSH ported to a subset of Cygwin and works perfectly. Using this package, you can easily establish a VPN between Windows machines. This is an excellent solution for road warriors since the only IP address that you need to know, is that of the server (or firewall) and Windows networking can then tunnel securely over SSH.

The important thing to remember is the Windows XP SP2 bug - you cannot connect remotely to localhost. If you try to do that, you will get a 'Connection Refused' message. Set up the SSH server according to the Readme file. It is simple and works readily - you just need to tell SSH the groups and usernames - that is all.

Gotcha: In order to use SSH, the user MUST have a Windows password.

Use the Network Wizard to enable Windows File sharing on the directory that you wish to access remotely, then start SSH:

c:\> net start opensshd

Test it from another machine. If you don't feel like walking around, then you can SSH out to a Linux machine and then SSH from there back to the Windows box to do a round trip test.

On the client machine, set up a tunnel to the server and then browse the shared directory. First, you have to stop the sharing server on the client, to free up port 139 and allow you to connect to the distant sharing server instead:

c:\> net stop server
c:\> ssh 11.22.33.44 -L 139:11.22.33.44:139

Port 139 on the server, is now hooked to port 139 on the client. With Windows Explorer, browse the server, through your home address:

\\127.0.0.1\

This works because this is an outgoing connection on localhost, while on the server side it is an incoming connection on 11.22.33.44. Note that even though this is an outgoing connection, you cannot use \\localhost, it won't work - we are not to reason why.

I use a batch file on the Windows XP desktop to open the tunnel with a simple double click. Make a text file called tunnel.bat, using Notepad:

rem Establish a secure tunnel
cd "c:\program files\openssh\bin"
net stop server
ssh herman@11.22.33.44 -L 139:11.22.33.44:139 -p 2222

The "herman@" selects my username on the server and the "-p 2222" is for my installation of the SSH daemon which runs on a non-standard port, to throw 5cr1pt k1dd135 with silly exhaustive search scripts off...

What if you don't want to stop the local sharing server on the client, since you may be sharing a printer with someone else? I don't think this can work with SP2 - sorry! The only solution would be to not use port forwarding at all, but rather copy files using WinScp, a nice GUI SFTP client.

Forwarding Everything Else

Once you have file sharing working, you may want to forward more ports and have a real VPN going with mail and whatever all forwarded to your local machine. Instead, of specifying a bunch of -L options on the command line, you could set up a config file in your .ssh directory.

If you are running OpenSSH on the client, for example Cygwin on Windows, then you can try this, to have all useful ports forwarded to your localhost:

# smb
LocalForward 139 smb.wherever.com:139

# nntp
LocalForward 119 news.wherever.com:119

# readnews
LocalForward 532 news.wherever.com:532

# imap
LocalForward 143 mail.wherever.com:143

# pop3
LocalForward 110 mail.wherever.com:110

# smtp
LocalForward 25 mail.wherever.com:25

Gotchas

The Windows users MUST have passwords, else SSH won't work.

Windows XP SP2 doesn't allow incoming connections on localhost.

To use Netbios server names, Netbios over TCP must be enabled - Advanced TCP/IP settings, WINS, Enable Netbios over TCP/IP.

The Workgroup of all machines must be the same - Control Panel, System, Computer Name, Workgroup. On Linux, it is in /etc/samba/smb.conf.

If your SMB server is behind a firewall/router, then you need to forward the SSH port on the firewall to the server. The default is port 22, but it is better to select a non-standard port, eg. 2222, to throw automated attack scripts off.

If your server is on DHCP, then you have to use a tracking service such as DynDNS, or periodically mail the address to a webmail account where you can go and look it up.