[Bug 1886551] Re: wireshark trace decryption
Andreas Hasenack
1886551 at bugs.launchpad.net
Thu Sep 10 20:45:04 UTC 2020
** Description changed:
[Impact]
For Bionic release, current cifs-utils package version is 6.8-1. This
version is missing below two commits
https://git.samba.org/?p=cifs-utils.git;a=commit;h=74a1ced5f706ea6a9cab885693c7755657b81a2a
https://git.samba.org/?p=cifs-utils.git;a=commit;h=6df98da5cd3fbb33f6f535c6784f037bbadadb84
-
- * Without above feature, we won’t be able to analyze most part of network traces on a client side in case customers have problems accessing Azure Files service from VMs running Ubuntu Bionic.
+ * Without above feature, we won’t be able to analyze most part of
+ network traces on a client side in case customers have problems
+ accessing Azure Files service from VMs running Ubuntu Bionic.
[Test Case]
- Setup a windows vm to share a directory and an ubuntu host with cifs-utils installed.
+ * Setup an ubuntu bionic vm
- # mount -v -t cifs //<widnows-IP>/<windows-share>/ /path/to/mount -o
- username=<username>,password=<password>,domain=<domain>,seal,vers=3.0
+ * Install the packages:
+ sudo apt update
+ sudo apt install samba cifs-utils -y
- Once the share is mounted successfully, we can manually test the various commands available in smbinfo utility.
- The syntax is :
- # smbinfo <command> <file>
+ * With the new cifs-utils package, you should have the smbinfo command available:
+ ubuntu at bionic-smbinfo:~$ smbinfo
+ Usage: smbinfo [-v] [-V] <command> <file>
+ Try 'smbinfo -h' for more information.
- For the available smbinfo commands :
- # smbinfo -h
+ * To test the extraction of encryption keys, the HWE kernel (or another kernel version 5 or higher) must be installed:
+ sudo apt install linux-image-generic-hwe-18.04
- For example :
+ * Reboot into the new kernel
+ sudo reboot
- # smbinfo keys joalif.txt
- SMB3.0 CCM encryption
- Session Id: 69 00 00 1c 00 18 00 00
- Session Key: d7 a5 b3 11 06 a0 3b 94 6a 52 3a 01 98 73 6b d3
- Server Encryption Key: 9d eb 4c 89 28 62 39 66 a9 e0 0d 57 b9 33 30 40
- Server Decryption Key: e6 9a a9 46 c1 a4 7b 6c 3d 2b 18 54 b4 93 a2 42
+ * Setup a share:
+ echo -e "[myshare]\npath=/myshare\n" | sudo tee -a /etc/samba/smb.conf
+ sudo mkdir /myshare
+ echo "Hello World" | sudo tee /myshare/hello.txt
+ * Create a samba user ubuntu, with a password of your choice (you will be prompted for it):
+ sudo smbpasswd -a ubuntu
+
+ * Mount the new share with encryption options:
+ ubuntu at bionic-smbinfo:~$ sudo mount //localhost/myshare /mnt -o seal,user=ubuntu
+ Password for ubuntu@//localhost/myshare: ******
+
+ * Confirm with smbstatus that the connection is encrypted:
+ ubuntu at bionic-smbinfo:~$ sudo smbstatus
+
+ Samba version 4.7.6-Ubuntu
+ PID Username Group Machine Protocol Version Encryption Signing
+ ----------------------------------------------------------------------------------------------------------------------------------------
+ 4516 ubuntu ubuntu 127.0.0.1 (ipv4:127.0.0.1:45794) SMB3_11 partial(AES-128-CCM) partial(AES-128-CMAC)
+
+ Service pid Machine Connected at Encryption Signing
+ ---------------------------------------------------------------------------------------------
+ IPC$ 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC
+ myshare 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC
+
+ No locked files
+
+
+ * Obtain the encryption keys:
+ ubuntu at bionic-smbinfo:~$ sudo smbinfo keys /mnt/hello.txt
+ CCM encryption
+ Session Id: b6 4c 21 8f 00 00 00 00
+ Session Key: 42 26 cf 6d d1 55 c7 80 b4 27 10 c2 a8 d2 26 31
+ Server Encryption Key: c9 37 6c 10 14 0e 1f f6 ea c7 5e d7 e0 76 79 a7
+ Server Decryption Key: 97 4e 2e 99 ec 27 66 a4 95 b5 a4 f9 8c 17 c7 ee
+
+ * There are many other subcommands available in smbinfo. For a list, run:
+ smbinfo -h
[Regression Potential]
These patches cherry pick and touch 2 files : smbinfo.c and smbinfo.rst.
They add the smbinfo utility which is required for the 2 commits mentioned in the <Impact> section. Since smbinfo does not interact with the rest of the code any regression potential would involve smbinfo itself.
[Other]
The smbinfo utility to work properly requires kernel >5.0 and the
'keys' command which is the one used for dumping session id, encryption
and decryption keys requires kernel > 5.4.
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to cifs-utils in Ubuntu.
https://bugs.launchpad.net/bugs/1886551
Title:
wireshark trace decryption
Status in cifs-utils package in Ubuntu:
Fix Released
Status in cifs-utils source package in Bionic:
Confirmed
Status in cifs-utils source package in Focal:
Confirmed
Bug description:
[Impact]
For Bionic release, current cifs-utils package version is 6.8-1. This
version is missing below two commits
https://git.samba.org/?p=cifs-utils.git;a=commit;h=74a1ced5f706ea6a9cab885693c7755657b81a2a
https://git.samba.org/?p=cifs-utils.git;a=commit;h=6df98da5cd3fbb33f6f535c6784f037bbadadb84
* Without above feature, we won’t be able to analyze most part of
network traces on a client side in case customers have problems
accessing Azure Files service from VMs running Ubuntu Bionic.
[Test Case]
* Setup an ubuntu bionic vm
* Install the packages:
sudo apt update
sudo apt install samba cifs-utils -y
* With the new cifs-utils package, you should have the smbinfo command available:
ubuntu at bionic-smbinfo:~$ smbinfo
Usage: smbinfo [-v] [-V] <command> <file>
Try 'smbinfo -h' for more information.
* To test the extraction of encryption keys, the HWE kernel (or another kernel version 5 or higher) must be installed:
sudo apt install linux-image-generic-hwe-18.04
* Reboot into the new kernel
sudo reboot
* Setup a share:
echo -e "[myshare]\npath=/myshare\n" | sudo tee -a /etc/samba/smb.conf
sudo mkdir /myshare
echo "Hello World" | sudo tee /myshare/hello.txt
* Create a samba user ubuntu, with a password of your choice (you will be prompted for it):
sudo smbpasswd -a ubuntu
* Mount the new share with encryption options:
ubuntu at bionic-smbinfo:~$ sudo mount //localhost/myshare /mnt -o seal,user=ubuntu
Password for ubuntu@//localhost/myshare: ******
* Confirm with smbstatus that the connection is encrypted:
ubuntu at bionic-smbinfo:~$ sudo smbstatus
Samba version 4.7.6-Ubuntu
PID Username Group Machine Protocol Version Encryption Signing
----------------------------------------------------------------------------------------------------------------------------------------
4516 ubuntu ubuntu 127.0.0.1 (ipv4:127.0.0.1:45794) SMB3_11 partial(AES-128-CCM) partial(AES-128-CMAC)
Service pid Machine Connected at Encryption Signing
---------------------------------------------------------------------------------------------
IPC$ 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC
myshare 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC
No locked files
* Obtain the encryption keys:
ubuntu at bionic-smbinfo:~$ sudo smbinfo keys /mnt/hello.txt
CCM encryption
Session Id: b6 4c 21 8f 00 00 00 00
Session Key: 42 26 cf 6d d1 55 c7 80 b4 27 10 c2 a8 d2 26 31
Server Encryption Key: c9 37 6c 10 14 0e 1f f6 ea c7 5e d7 e0 76 79 a7
Server Decryption Key: 97 4e 2e 99 ec 27 66 a4 95 b5 a4 f9 8c 17 c7 ee
* There are many other subcommands available in smbinfo. For a list, run:
smbinfo -h
[Regression Potential]
These patches cherry pick and touch 2 files : smbinfo.c and smbinfo.rst.
They add the smbinfo utility which is required for the 2 commits mentioned in the <Impact> section. Since smbinfo does not interact with the rest of the code any regression potential would involve smbinfo itself.
[Other]
The smbinfo utility to work properly requires kernel >5.0 and the
'keys' command which is the one used for dumping session id,
encryption and decryption keys requires kernel > 5.4.
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1886551/+subscriptions
More information about the foundations-bugs
mailing list