Leedberg.com

The online home for Greg Leedberg, since 1995.

Wednesday, March 02, 2005

Secure Windows File Sharing over the internet?

Picture this: You have two computers, a desktop and a laptop. You have a firewall/router in your house. Your desktop (your primary computer) shares out your documents folder using Windows file sharing, so that when you are on your laptop, your desktop appears as a drive and you can easily access those files. Of course, access to the files on your desktop require a user name and password so that not just anybody can access them. Smartly, you use the same logon username and password across your computers, so that file access authentication is transparent on your laptop.

Now, let's say you are a college student, and you take your laptop with you to campus. Now, suddenly, since you are outside of your home firewall, you cannot get access to your files. But, it sure would be convenient if you had access to all of your files all the time.

One solution: Disable the firewall (or, open up port 139, the Windows file sharing port) so that you can get access from anywhere. Your files are password-protected so it doesn't seem so bad. However, passwords and usernames are rather easy to break. And, an open port 139 is a prime target for attacks, since it is so well known. This might be a safe solution, but you are running a big risk. Other solutions, such as running an FTP server, run the same risks.

This is the dilemma I was in recently. Opening up a firewall defeats the purpose of having one, but I really need access to my files from afar. Pretty much, what I wanted was to have the firewall be minimally open (one port maybe?), and have that single point of entry be extremely, extremely secure. As in, no authentication using passwords. What I wanted was authentication using public keys. So, I would have a public/private keypair on the desktop, and would need to have the public key on the laptop (plus a passphrase) in order to get through the firewall. At first this may seem no better than a password, but a public key nowadays can be large in size -- 2048 bits is not uncommon. And if we assume someone could try around 50 different keys per second (a very high-end estimate), it would take them up to 4 x 10^607 years to try all combinations. That's "4" with 607 zero's after it. Years. And even in the average case, it would take 2 x 10^607, which is hardly any better. And keys have no order to them, so there is no way to "guess" and cut down that amount of time. This is the sort of set up I wanted.

After much research, I decided on running an SSH server on the desktop, opening up a single port for it, using public key authentication only, and then using SSH tunnelling on the laptop. What this means is that I would log in to my desktop from my laptop using an SSH client (and using a 2048-but public key as authentication), and then certain network programs on my laptop would tunnel their traffic through that secure connection to the desktop. Basically, once I'm connected through SSH, my laptop is effectively inside the firewalled network, through the secure tunnel.

Now, here's the point of this post. I looked online a lot, but had a lot of trouble getting this setup working, so I figured I would post my method here for others to use. I'm running Windows XP on both computers, and desired to use SSH Secure Shell Client as my SSH client on the laptop. Let me also say that I can't make any warranty on these instructions... for all you know, I could be telling you how to format your hard drive. These steps certainly work for me, but I can't say whether they'll work (or cause damage!) for you. With that said, here we go:

1. First, you'll quickly discover there aren't many/any free SSH servers available for Windows. My solution -- use the popular OpenSSH server which is available for Linux. It's possible to do this by using Cygwin, which provies a Unix-like environment under Windows, and allows you to run quite a bit of Linux software. Get Cygwin here. When you are installing, OpenSSH is not installed by default, so you have to make sure to install it. Click the "+" next to the "Net" category, and then find OpenSSH in the list, and click on the "Skip" label until it says "Install".

2. In order to really get Cygwin running, it should also be in your path. I'm not 100% sure if this is needed to run OpenSSH, but it helps. Right-click on "My Computer", and click Properties. Then, click on the "Advanced" tab, and click on the "Environment Variables" button. On this screen, look in the "System Variables" section, and select "Path", and click "Edit". At the end of this text box, add "C:\cygwin\bin;" (c:\cygwin is the directory you installed Cygwin to. If you picked a different directory, type that). Now click Okay on all of these windows.

3. Now you have to configure OpenSSH. Open up a Cygwin bash shell, and type "ssh-host-config". This will let you set up various aspects of OpenSSH. Make sure you install it as a service.

4. Now, make sure that there's a hole in your firewall for port 22. If you don't know how to do this, consult your router's manual about forwarding a port. You'll want to forward port 22 to your desktop.

5. Now we need to set up the laptop. We're going to use SSH Secure Shell Client because it is a relatively good SSH client package. Go here to download the client software, and install it on the computer you want to use to connect to your desktop.

6. Now, at this point you should be able to SSH in to your desktop. Try starting up the SSH Client, and typing in the IP address of your router. Use your Windows login name and password, and you should be a command prompt (the Cygwin bash shell, no less). If not, something has gone awry in the previous steps. Otherwise, type "logout" to logout of your machine.

7. Now we have to actually generate a keypair for you to use. It would make sense to generate these on the desktop using OpenSSH and then copy them to the laptop, but OpenSSH's keys and Secure Shell's keys are in different formats! Secure Shell is not capable of reading OpenSSH's, but, luckily, OpenSSH can read those generated by Secure Shell. So, in SSH Secure Shell on the laptop, go to Edit, Settings, and under the Global Settings, User Authentication, Keys section, click the "Generate New" button. This will generate a public/private keypair, and automatically import them into Secure Shell. Make sure to use a passprase you will remember.

8. Now we need to copy the public key to the server. Look in the directory C:\Documents and Settings\[Your user name]\Application Data\SSH\UserKeys. Copy the .pub file to your server somehow (using a flash drive, or something similar).

9. On the desktop (server), copy this file to your Cygwin home directory. This will likely be c:\Cygwin\home\[Your user name]

10. Open up a Cygwin bash shell. Type "ls" (list files), and you should see the .pub file you just copied.

11. Create a .ssh directory, by typing "mkdir .ssh".

12. Covert your Secure Shell key into a OpenSSH key by typing "ssh-keygen -i [keyfilename].pub > .ssh/authorized_keys

13. Now that that is done, we need to tell OpenSSH to only accept public key authentication -- no passwords accepted here! To do this, type "chmod go+w /etc/sshd_config". Now, using Notepad (or some other pure text editor), open up the file C:\cygwin\etc\sshd_config.

14. Look for a line that says "# Password Authentication no", and remove the leading # and space, so it just says "Password Authentication no". Now, save this file. Back in the Cygwin window, type "chmod go-w /etc/sshd_config". You can type "logout" to close the Cygwin window.

15. Now, try logging in again from the laptop (or other client). It should use the keypair, and ask for your passphrase. Logout if successful, and review the above steps if not.

16. So now we have secure access to the desktop through SSH, but how do we get file sharing to work? This is the tricky part. First, we have to uninstall File and Print Sharing from the laptop (how intuitive!). Go to Control Panel, Network and Internet Connections, Network Connections, and right-click on the connection you use (probably a wireless card or "Local Area Connection"). Click on "properties". Now on this screen, select "File and Print Sharing", and click the "Uninstall" button. Don't reboot yet.

17. From this same screen, click on "TCP/IP", and then "Properties". Click on the "Advanced" button, and then the "WINS" tab, and make sure that "Enable NetBIOS over TCP/IP" is selected at the bottom of this screen. Now, "OK" out of all of these windows. and reboot. Note that this means that you can't share files from the laptop any more (but you can still access them from other computers).

18. Now, we finally set up the tunelling. Open up SSH Secure Shell. Click on Edit, Settings. Under Profile Settings, go to Tunelling window. Click "Add". For Display Name, enter "SMB", for listen port, enter "139", for destination, enter the LOCAL IP ADDRESS of your desktop (probably something starting with 192.168. You can find this out by typing "ipconfig" at a command line on the desktop). For Destination Port, enter "139". Click OK.

19. Now, connect to your desktop using SSH Secure Shell. Go to Start, Run. Type in "127.0.0.1\[your windows login name]". If all went well, you should see your shared files now. You can use that same address to map a drive letter, but don't have it reconnect at logon, because you always have to SSH to your desktop before you can access the files in this way.

I hope this helps someone out there!