Re: Support SMB encryption

[Bastien Nocera <hadess hadess net>]

On Mon, 2017-11-06 at 12:26 +0100, Bastien Nocera wrote:
> On Fri, 2017-11-03 at 02:39 +0000, Peter Keresztes Schmidt wrote:
> > Hi all,
> >
> > I'm not sure if this was already discussed, at least I couldn't
> > find
> > anything related.
> >
> > Are there any attempts to support encryption with the SMB backend?
> > Browsing a bit around in the source I'd assume something around
> >
> > diff --git a/daemon/gvfsbackendsmb.c b/daemon/gvfsbackendsmb.c
> > index 9040a9cb..6ffdddb9 100644
> > --- a/daemon/gvfsbackendsmb.c
> > +++ b/daemon/gvfsbackendsmb.c
> > @@ -417,6 +417,8 @@ do_mount (GVfsBackend *backend,
> >                                         op_backend->user != NULL);
> >    smbc_setOptionNoAutoAnonymousLogin (smb_context, TRUE);
> >  
> > +  smbc_setOptionSmbEncryptionLevel(smb_context,
> > SMBC_ENCRYPTLEVEL_REQUEST);
> > +
> >    if (!smbc_init_context (smb_context))
> >      {
> >        g_vfs_job_failed (G_VFS_JOB (job),
> >
> >
> > should do the trick. It'd be great if somebody could look into this
> > since now everything is transported unencrypted over the wire even
> > if
> > the server supports encryption.
>
> Is there any particular reason why you didn't test this change? After
> compiling gvfs, you should be able to run the gvfsd-smb daemon
> without
> installing it using:
> ./gvfsd-smb server=[server ip address or hostname] share=[name of the
> share]
>
> Testing against a few servers and reporting your results would go a
> long way.
>
> When that's done, you can probably file a bug against gvfs to request
> this change.

My cursory testing against a single server (my NAS) doesn't make the
mount fail, though I'm not sure how to assert that it's using
encryption other than snooping on the wire and checking whether I can,
for example, read a text file in the clear.