VanDyke Software

Tips

Got a question or comment?   Send us a question or comment

Index

Private Access to an SSH-Secured SMB Share

This set of steps should be followed by those wanting to set up a secure tunnel to an SMB share and to only be able to access the share from the same computer.

  1. Configure the local network interface such that NetBIOS over TCP/IP is enabled. If you have to change this setting from Disable to Enable, a reboot is required for this to work. If you have modified this value recently and have not rebooted, a reboot would be a good idea
    1. From the Control Panel, select Network and Dial-up Connections (on Windows 2000) or Network Connections (on Windows XP); right-click on Local Area Connection and choose Properties.
    2. Select Internet Protocol (TCP/IP) and click on the Properties button.
    3. Click on the Advanced button and navigate to the WINS tab.
    4. Select Enable NetBIOS over TCP/IP. If this option is not already selected, close all dialogs using the OK button and reboot the machine. If this option is already selected, you may want to reboot anyway.
  2. If your environment does not require you to leave File and Printer Sharing installed, remove the File and Printer Sharing components for Microsoft Networks:
    1. From the Control Panel, select Network and Dial-up Connections (on Windows 2000) or Network Connections (on Windows XP); right-click on Local Area Connection and choose Properties.
    2. Select the File and Printer Sharing for Microsoft Networks and click on the Uninstall button. When prompted with Are you sure...?, click on the Yes button, and close the Local Area Connection Properties dialog.
  3. If your environment requires you to leave File and Printer Sharing installed, disable Direct Hosting (the service on port 445):
    1. Start the registry editor.
    2. Locate and then click on the following registry key:

        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NetBT\Parameters

    3. Add the following registry value:

      4.   Value Name: SmbDeviceEnabled
        Type: REG_DWORD
        Value Data: 0

    4. Reboot the machine.
  4. Create a session in SecureCRT that will connect to the remote SSH server and will forward from 127.0.0.1, port 139 to the remote SMB server.
    1. Fill in the hostname/IP address and port of the SSH server to which you will be connecting.
    2. Navigate to the Port Forwarding category.
    3. Enter the name of port forward entry (for example, SMB).
    4. In the Local section, check the Manually select local IP Address on which to allow connections option and specify this address as 127.0.0.1 (this could also be something like 127.0.0.2 or 127.0.0.3, etc.)
    5. In the Remote section, check the Destination host is different from the SSH server option and enter the hostname or IP address of the SMB server relative to the SSH server. For example, if the SMB shares exist on the same machine as the SSH server, enter the name of this machine.

      NOTE:       The IP address or name entered here cannot be localhost or 127.0.0.1 (or any other 127.x.x.x) because the SMB service does not accept connections on the loopback interface.
  5. Before exiting SecureCRT, navigate to the Global Options dialog in the Options / Advanced category).
  6. Select the Configuration folder path entry and copy it to the clipboard.
  7. Exit SecureCRT, browse to the Configuration folder (which should already be in the clipboard).
  8. Edit the newly-created session's .ini file to allow requests from all addresses. Note that while this initially does not seem secure, in reality—as long as this particular session only has one port forward entry (create another session to forward any other traffic such as IMAP, for example) this will only be accessible to the local machine since no other machine will be able to access the 127.0.0.1 loopback address (where SecureCRT is listening).

    Remember, SecureCRT must not be running in order to successfully edit the session's .ini file. The line in the session's .ini file should be changed to:

      S:"Port Forward Filter"=allow,0.0.0.0/0.0.0.0,0

    This step is necessary because Windows seems to always set the external IP address of the machine as the source address when making the connection.

  9. Save the .ini file and exit the editor.
  10. Start SecureCRT and connect to the SMB-forwarding session.
  11. Once connected with SecureCRT, start Windows Explorer and in the address bar, type:

      \\127.0.0.1

    and press ENTER to browse the shares available on the remote SMB server. Or, you can use Tools / Map Network Drive and specify the following path:

      \\127.0.0.1\SHARE_NAME

Related Links

VanDyke Software uses cookies to give you the best online experience. Before continuing to use this site, please confirm that you agree to our use of cookies. Please see our Cookie Usage for details.