How to setup Windows filesharing over SSH

· Linux
Author

If you have a Linux file server you know how easy it is to access its files from Windows clients; just install Samba on the Linux server and you can connect using Windows file sharing (Netbios / CIFS / SMB). Unfortunately this simple setup cannot be used by itself to access files remotely over the Internet. One reason is that SMB traffic is not encrypted, another is that firewalls normally block it. That is where SSH enters – it is the leading way of securely connecting to systems over the Internet. However, to use Windows file sharing over SSH requires some tricks, which are explained in this article. They are a bit complicated but have to be done only once, work quite reliably, don’t require any additional software and are well worth the ten minutes it takes to perform them.

Prerequisites

  • A Linux server that you can connect to with SSH (there are also SSH servers for Windows and that would likely work as well, but for now I assume Linux on the server side).
  • A tested installation of Samba on the server, including the required username and password.
  • A Windows Vista or Windows 7 client (if you have a Linux client you can simply use the standard sshfs that comes bundled with modern distributions, if you have an older version of Windows on the client then much of the tricks below are not needed and will likely not work).
  • Putty installed on the Windows client and tested (another SSH client that is able to create tunnels will also work)

Overview

The goal is simply to open an SSH connection from client to server, with a tunnel on TCP port 445. We can then connect to file shares on the local machine and SSH will forward the requests to the server and return the requested data. There is one snag: Windows clients themselves also have file sharing enabled (they can act as file servers) and keep port 445 occupied for this purpose. The purpose of our tricks below is to free this port up partially so we will be able to forward it. We  will use the following steps, all on the client:

  • Create an additional local IP address by installing a loopback adapter.
  • Change the file sharing service on the client so that it starts later and not on the loopback adapter
  • Test this
  • Set up Putty with the right port forwarding and test it

Create an additional local IP address by installing a loopback adapter

This is a matter of:

  • Starting a command shell with admin privileges
  • From that running the Add Hardware Wizard, hdwwiz.exe
  • Select Install the hardware that I manually select from a list
  • Selecting Network Adapters, then Microsoft, then Microsoft Loopback adapter
  • From the Control Panel search for and then open Network Connections
  • Right-click on the Loopback Adapter and select Properties (if the Loopback Adapter is not visible you may have to reboot)
  • Disable Client for Microsoft Networks, File and Printer sharing for Microsoft Networks and Internet Protocol Version 6
  • Enable Internet Protocol Version 4, select it and then click Properties
  • Select Use the following IP address, then specify 10.255.255.1 and netmask 255.255.255.0.
  • The Gateway and DNS server can be left empty
  • Click Advanced, then deselect Automatic Metric and enter the value 9999, then in the WINS tab select Disable Netbios over TCP/IP
  • Click OK, OK, Close

Change the file sharing service on the client so that it starts later and not on the loopback adapter

This is the most complicated part.

  • Open a command window with admin privileges
  • Disable automatic starting of the file sharing service by typing: sc config smb start= demand
  • Block/forward the file sharing port by typing on one line: netsh interface portproxy add v4tov4 listenaddress=10.255.255.1 listenport=445 connectaddress=10.255.255.1 connectport=44445
  • When these commands have executed without errors close the command window
  • In the search box of the Start Button search for Task Scheduler and open it
  • Select Create a Basic Task
  • Enter the name of Start SMB Driver
  • In the next page of the wizard select the trigger When I log on
  • In the next page select Start a program
  • In the next page enter the program: c:\windows\system32\net.exe
  • Enter the arguments: start smb
  • In the next page select Open the Properties dialog for this task when I click finish, then click Finish
  • In the Task Properties window select Run whether the user if logged on or not, then select Do not store password and Run with highest privileges
  • Then switch to the Triggers tab and double-click the At log on trigger to edit it
  • In the Edit trigger window select Any user and click Ok
  • Now in the Conditions tab make sure Start the task only if the computer is on AC power is deselected
  • Click OK and close the Task Scheduler

Test this

The previous steps were a bit complicated so it is good to test them:

  • Reboot
  • In a command window type: sc query smb, make sure the SMB driver is in the state Running
  • Then type: netstat -an | find “:445 “
  • It should present a line that looks exactly like: TCP 10.255.255.1:445 0.0.0.0:0 LISTENING

Set up Putty with the right port forwarding and test it

The final step is quite easy, assuming some familiarity with Putty:

  • Open the session for your Linux server
  • Add an SSH tunnel with source port 10.255.255.1:44445 and destination localhost:445
  • It could be that the file server is a different host from the one that you SSH into. If you are sure that from the Linux host that you SSH into the file server can be reached (test with telnet fileseverhost 445) you can simply adjust the destination accordingly.
  • Click Add to add the tunnel, then save the session
  • Close all Putty sessions, then open the one we just updated and login
  • Windows on the client may give a warning about the firewall blocking access for Putty – if so enable all access
  • In the search box of the start button now type \\10.255.255.1\fileshare-you-want-to-connect-to
  • Enter the username and password of the file share
  • An explorer window should pop up with the contents of the share
  • You can now also map this share to a network drive

References

Leave a Comment