[vox-tech] Secure file serving?
ME
vox-tech@lists.lugod.org
Tue, 11 Mar 2003 22:29:37 -0800 (PST)
Jay Strauss said:
> I gotta question. I want to have a secure file server.
Me too! ;-)
> I set up a samba server at work. I can see the samba server from my win2k
> box when I'm on my work network. According to various docs I've read, I
> should be able to SSH to my work server from home, do a little ssh
> tunneling
> magic and be able to see the samba server from home (across the internet).
> Unfortunately, I've had no joy, and from what I've read the performance
> would be disappointing too (this food sucks, and the portions are small
> too).
I have seen an ssh tunnel setup for passing smb/samba to/from linux boxes,
but not between Windows boxes without a *n*x box as part of the mix.
As for Windows to Linux box, I know some ssh clients permit port
forwarding, but, I've never tried this with samba traffic (TCP ports
137,138,139)
> I'd like to have a file server that I can get to from home, work, or when
> at
> a client's site. I'd like it to be something like SMB so that it will
> work
> well with all my M$ apps and provide file locking and such so that me and
> my
> work mates don't overwrite each other (as opposed to having a sftp client
> (gui or not)).
Well, have you looked into WebDAV over SSL? I think it does file locking,
but access through it can be a bit tricky when doing edits to the files in
the "share". (The file locks are not OS based, but dealt with by the
WebDAV system - meaning, if everyone edits through WebDAV, then locks are
properly handled for all users. However, if most users use dav, but some
edit these same files in a shell on the file server or via other
filesharing systems, locking can get busted.)
A strong advantage of WebDAV over SSL is encryption is "there" for data
and authentication, and it uses the existing web service (a big plus if
you have a web server on thebox anyway.)
A disadvantage is it *can* be slow. However, there are clients for Linux,
MacOS 9, while Mac OS X and Windows 98 (and later) have it built-in, and
windows 95 has a free upgrade to permit this to work.
(It is often slower than a genuine file server like NFS/Samba/Netatalk,
but for large files, the speeds for all of these start to approach a
similar optimum value on a per connection evaluation.)
Often, I will copy a WebDav document to a local box, edit it locally, and
then copy it back. However, during the copy and "opening" the file is
locked so long as all access to the file is through DAV. (Not a local FS
lock, but a DAV-protocol based lock.)
> What are my options?
Not many without an adaquate description of "secure". :-/
> What I think would be really neat (i don't think it exists), is a https
> web
> page I could go to, authenticate, and magically I could then see some
> common/shared file systems, and be able to use if from my normal directory
> structure (ie. thru windows explorer or from unix "ls"), so that I could
> still use it while on a security conscience client site.
That is kind-of what WebDAV is about. It uses a web server (usual
implementation) to push files to/from the server all over port 443 (ssl
default) or 80 (not suggested for security reasons.)
However, there are also content management systems. This question came up
before, and I think "zope" was suggested. There are others, but I dont
remember what they were. (sorry, I though this questions was answered on
the liste before, and the answer following mine discussed another option
that was also possible through a web server with an extra package and/or
cgi.
> Ps, the exact reason I couldn't use the samba server thru ssh was, that
> even
> though I followed the directions verbatim (that is sticking an entry in my
> LMHOSTS file and setting up the tunnel), windows could find the samba
> server
Odd. After you added the entry to lmhosts, did you also add the #PRE at
the end to force preloading and then reboot?
(Your mouse has moved. Would you like to reboot windows for these changes
to take effect? #PRE is supposed to force preloading of name at boot.)
In most cases, mods to lmhosts work "right away", but not always. Also,
there is an order for name resolution that can be set in windows. You
probably want to have it attempt reslotion through lmhosts first, then
Master Browser (or PDC/BDC), then WINS, and then rDNS/DNS. Verify your
resolution order is properly configured for LMHOSTS resolution first.
One easy way to test this, is make a name that points to the IP that has
an underscore as part of it, and then from command.com, try to ping that
name (the one with the underscore.) Since Underscore are a violation to
FQDN, a WINS (through to DNS) and DNS/rDNS will fail and you will only be
left with LMHOSTS and MasterBrowser (or PDC/BDC.)
After you are certain that the name in lmhosts is being checked, make sure
the name you set in LMHOSTS for the IP matches the machine's real NetBIOS
name.
I use WebDAV over SSL for most of my cross net "filesharing" stuff. This
also permits you to give users a different username/password for WebDAV
filesharing than you have in /etc/passwd. This permits me to feel a little
better about using untrusted machine and risk exposure of some of my
content when using WebDAV - while I would never use and untusted machine
for ssh to a real user account.
WebDAV can also work with quotas, but that really needs group quotas and
introduces other restrictions, and limitations on file reading and
security.
Searches for "content management" may get you services that offer you what
you want.
My Favorite for a kind of file sharing:
http://www.webdav.org/
and with apache mod:
http://www.webdav.org/mod_dav/
Specific "Content Management" services: (search for more)
http://freshmeat.net/projects/phpcms/?topic_id=92%2C96%2C243%2C90
http://www.zope.com/
HTH,
-ME
--
-----BEGIN GEEK CODE BLOCK-----
Version: 3.12
GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++
L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
------END GEEK CODE BLOCK------
decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html