This is an extremely weak method of authentication, MAC addresses can be spoofed easily. You can usually notice the spoof if you've got your network monitoring set up correctly, but that depends on network topology as well. Also, if the data is confidential you shouldn't be sending it across an untrusted network unencrypted. I would suggest using ssh for this (since the recipient machine is a Linux box which has an ssh daemon already installed), that gives you host authentication for free with the encrypted channel.

If the data is confidential, you not only need to authenticate the peers, but to encrypt the data too. The first that comes to my mind is Net::SSH. Oh, and beware that although you could use ARP addresses, they can be spoofed too. If you stick with samba, you'll have to live with the fact that the confidential data go unencrypted through the wire.

Samba allows for a username and password to do some authentication at mount time, but I do not know how that password is being exchanged.

I wouldn't do any exchange of data using samba or NFS if my network can't be trusted - in such a case, I'd use ssh or something similar.

Does your Windows networking environment employ domain authentication, or workgroup authentication?

If the former, and both your win32 PC and Linux Samba box are domain members, then I suspect that your concerns may be unfounded.   In the NT domain scheme, hosts are authenticated as well as users, so the potential bad person would have to spoof the IP address *and* have hacked the automatic-regularly-changed machine account password.   So you would be reasonably secure in simply doing an SMB/CIFS copy of your already-encrypted file(s) to the Linux box.

But if you're in a Microsoft workgroup environment, then I'd probably concur with fellow monks suggesting SSH as likely being safer than SMB/CIFS.

Fwiw, MAC spoofing is called LAA - "locally administered address".

And the only way to do that is to have a unique identifier on the remote (Linux) box which you can check in a secure way, i.e. in a way that can't be snooped or spoofed. So you need to encrypt that identifier exchange as well, which is a lot of work, only ssh already does it for you.

Inventing your own secure transmission channels is always a bad idea unless you really know what you're doing.


Debugging is twice as hard as writing the code in the first place. Therefore, if you write the code as cleverly as possible, you are, by definition, not smart enough to debug it. -- Brian W. Kernighan

yes, I had in mind inventing my own secure transmission thingy but it started to get a bit sticky - using a unique identifier on the linux box as you suggest. Like you say a bit of a pain. It seems the consensus is that ssh is the way to go then and arp and MAC addresses isn't - even if my data is encrypted I don't want it poked at by just anyone. Thanks everyone. 2 mins of monkly advice is worth 2 weeks of my arsing about.

If you are using Samba, why not let Samba do the auth for you? Samba Security Models and Server Security (User Level Security) can help you get started.

Usually it pays off to understand what you are using ...