3
I've got samba set up to allow for the viewing of home directories of logged in users. Now I've got this user, called git, which does not have a password. The only way to get access to him is by rsa-key. Is it possible to configure both samba and Windows (10) to use this key for authentication?
Daniël van den Berg
Posted 2016-01-14T07:31:49.973
Reputation: 407
2
No, it isn't. You're accessing the account via SSH, but the Windows file sharing doesn't use SSH and cannot use your keypair the same way.
In other words you're basically limited to SSH here. For Git itself, that's not a problem – Windows-Git supports SSH normally. If you need to edit some files manually or to make backups, use SFTP (e.g. via WinSCP, psftp, or FileZilla).
user1686
Posted 2016-01-14T07:31:49.973
Reputation: 283 655
0
It is possible, however it may not be what you expect
Windows shares authenticate using AES/DEC ciphers AES and DEC are synchronous encryption algorithms, the same key is used to lock and unlock the encrypted data
If you were to use RSA to encrypt your data, one might do this in the context of a domain and make use of the Kerberos extension PKINIT in their kdc.conf kdc.conf configuration manual
samba offer some more documentation on the subject in context
You should now be able to login to your windows share using your RSA key :-)
A little bit involved however I plan to continue writing this as I incorporate it in to my own AD
Steve
Posted 2016-01-14T07:31:49.973
Reputation: 101
1Authentication is not the same thing as data encryption. AES is not used for authentication by SMB, and RSA / PKINIT isn't used for data encryption. (Besides that, Windows requires an actual smartcard for PKINIT.) – user1686 – 2019-09-12T13:54:10.543
A smartcard would be advisable although not required – Steve – 2019-09-12T14:25:19.377
SMB uses AES https://docs.microsoft.com/en-us/windows-server/storage/file-server/smb-security AES and RSA and both algorithms, AES is synchronous and RSA is asynchronous PKINIT is an extension of Kerberos Kerberos is a ticketing-based authentication system GSSAPI, SPNEGO and SASL are not ciphers, you could think of them as a structure of the ciphers to work with A physical smart card is not compulsory
– Steve – 2019-09-12T14:36:53.153