** Description changed: [Impact] For Bionic release, current cifs-utils package version is 6.8-1. This version is missing below two commits https://git.samba.org/?p=cifs-utils.git;a=commit;h=74a1ced5f706ea6a9cab885693c7755657b81a2a https://git.samba.org/?p=cifs-utils.git;a=commit;h=6df98da5cd3fbb33f6f535c6784f037bbadadb84 - - * Without above feature, we won’t be able to analyze most part of network traces on a client side in case customers have problems accessing Azure Files service from VMs running Ubuntu Bionic. + * Without above feature, we won’t be able to analyze most part of + network traces on a client side in case customers have problems + accessing Azure Files service from VMs running Ubuntu Bionic. [Test Case] - Setup a windows vm to share a directory and an ubuntu host with cifs-utils installed. + * Setup an ubuntu bionic vm - # mount -v -t cifs //<widnows-IP>/<windows-share>/ /path/to/mount -o - username=<username>,password=<password>,domain=<domain>,seal,vers=3.0 + * Install the packages: + sudo apt update + sudo apt install samba cifs-utils -y - Once the share is mounted successfully, we can manually test the various commands available in smbinfo utility. - The syntax is : - # smbinfo <command> <file> + * With the new cifs-utils package, you should have the smbinfo command available: + ubuntu@bionic-smbinfo:~$ smbinfo + Usage: smbinfo [-v] [-V] <command> <file> + Try 'smbinfo -h' for more information. - For the available smbinfo commands : - # smbinfo -h + * To test the extraction of encryption keys, the HWE kernel (or another kernel version 5 or higher) must be installed: + sudo apt install linux-image-generic-hwe-18.04 - For example : + * Reboot into the new kernel + sudo reboot - # smbinfo keys joalif.txt - SMB3.0 CCM encryption - Session Id: 69 00 00 1c 00 18 00 00 - Session Key: d7 a5 b3 11 06 a0 3b 94 6a 52 3a 01 98 73 6b d3 - Server Encryption Key: 9d eb 4c 89 28 62 39 66 a9 e0 0d 57 b9 33 30 40 - Server Decryption Key: e6 9a a9 46 c1 a4 7b 6c 3d 2b 18 54 b4 93 a2 42 + * Setup a share: + echo -e "[myshare]\npath=/myshare\n" | sudo tee -a /etc/samba/smb.conf + sudo mkdir /myshare + echo "Hello World" | sudo tee /myshare/hello.txt + * Create a samba user ubuntu, with a password of your choice (you will be prompted for it): + sudo smbpasswd -a ubuntu + + * Mount the new share with encryption options: + ubuntu@bionic-smbinfo:~$ sudo mount //localhost/myshare /mnt -o seal,user=ubuntu + Password for ubuntu@//localhost/myshare: ****** + + * Confirm with smbstatus that the connection is encrypted: + ubuntu@bionic-smbinfo:~$ sudo smbstatus + + Samba version 4.7.6-Ubuntu + PID Username Group Machine Protocol Version Encryption Signing + ---------------------------------------------------------------------------------------------------------------------------------------- + 4516 ubuntu ubuntu 127.0.0.1 (ipv4:127.0.0.1:45794) SMB3_11 partial(AES-128-CCM) partial(AES-128-CMAC) + + Service pid Machine Connected at Encryption Signing + --------------------------------------------------------------------------------------------- + IPC$ 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC + myshare 4516 127.0.0.1 Thu Sep 10 20:41:14 2020 UTC AES-128-CCM AES-128-CMAC + + No locked files + + + * Obtain the encryption keys: + ubuntu@bionic-smbinfo:~$ sudo smbinfo keys /mnt/hello.txt + CCM encryption + Session Id: b6 4c 21 8f 00 00 00 00 + Session Key: 42 26 cf 6d d1 55 c7 80 b4 27 10 c2 a8 d2 26 31 + Server Encryption Key: c9 37 6c 10 14 0e 1f f6 ea c7 5e d7 e0 76 79 a7 + Server Decryption Key: 97 4e 2e 99 ec 27 66 a4 95 b5 a4 f9 8c 17 c7 ee + + * There are many other subcommands available in smbinfo. For a list, run: + smbinfo -h [Regression Potential] These patches cherry pick and touch 2 files : smbinfo.c and smbinfo.rst. They add the smbinfo utility which is required for the 2 commits mentioned in the <Impact> section. Since smbinfo does not interact with the rest of the code any regression potential would involve smbinfo itself. [Other] The smbinfo utility to work properly requires kernel >5.0 and the 'keys' command which is the one used for dumping session id, encryption and decryption keys requires kernel > 5.4.
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1886551 Title: wireshark trace decryption To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/cifs-utils/+bug/1886551/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
