[vox-tech] Secure file serving?

[Jay Strauss]

Sounds neat, I'm going to read the docs, to get an idea

Thanks
Jay
----- Original Message -----
From: "ME" <dugan@passwall.com>
To: <vox-tech@lists.lugod.org>
Sent: Wednesday, March 12, 2003 12:29 AM
Subject: Re: [vox-tech] Secure file serving?


> Jay Strauss said:
> > I gotta question.  I want to have a secure file server.
>
> Me too! ;-)
>
> > I set up a samba server at work.  I can see the samba server from my
win2k
> > box when I'm on my work network.  According to various docs I've read, I
> > should be able to SSH to my work server from home, do a little ssh
> > tunneling
> > magic and be able to see the samba server from home (across the
internet).
> > Unfortunately, I've had no joy, and from what I've read the performance
> > would be disappointing too (this food sucks, and the portions are small
> > too).
>
> I have seen an ssh tunnel setup for passing smb/samba to/from linux boxes,
> but not between Windows boxes without a *n*x box as part of the mix.
>
> As for Windows to Linux box, I know some ssh clients permit port
> forwarding, but, I've never tried this with samba traffic (TCP ports
> 137,138,139)
>
> > I'd like to have a file server that I can get to from home, work, or
when
> > at
> > a client's site.  I'd like it to be something like SMB so that it will
> > work
> > well with all my M$ apps and provide file locking and such so that me
and
> > my
> > work mates don't overwrite each other (as opposed to having a sftp
client
> > (gui or not)).
>
> Well, have you looked into WebDAV over SSL? I think it does file locking,
> but access through it can be a bit tricky when doing edits to the files in
> the "share". (The file locks are not OS based, but dealt with by the
> WebDAV system - meaning, if everyone edits through WebDAV, then locks are
> properly handled for all users. However, if most users use dav, but some
> edit these same files in a shell on the file server or via other
> filesharing systems, locking can get busted.)
>
> A strong advantage of WebDAV over SSL is encryption is "there" for data
> and authentication, and it uses the existing web service (a big plus if
> you have a web server on thebox anyway.)
>
> A disadvantage is it *can* be slow. However, there are clients for Linux,
> MacOS 9, while Mac OS X and Windows 98 (and later) have it built-in, and
> windows 95 has a free upgrade to permit this to work.
>
> (It is often slower than a genuine file server like NFS/Samba/Netatalk,
> but for large files, the speeds for all of these start to approach a
> similar optimum value on a per connection evaluation.)
>
> Often, I will copy a WebDav document to a local box, edit it locally, and
> then copy it back. However, during the copy and "opening" the file is
> locked so long as all access to the file is through DAV. (Not a local FS
> lock, but a DAV-protocol based lock.)
>
> > What are my options?
>
> Not many without an adaquate description of "secure". :-/
>
> > What I think would be really neat (i don't think it exists), is a https
> > web
> > page I could go to, authenticate, and magically I could then see some
> > common/shared file systems, and be able to use if from my normal
directory
> > structure (ie. thru windows explorer or from unix "ls"), so that I could
> > still use it while on a security conscience client site.
>
> That is kind-of what WebDAV is about. It uses a web server (usual
> implementation) to push files to/from the server all over port 443 (ssl
> default) or 80 (not suggested for security reasons.)
>
> However, there are also content management systems. This question came up
> before, and I think "zope" was suggested. There are others, but I dont
> remember what they were. (sorry, I though this questions was answered on
> the liste before, and the answer following mine discussed another option
> that was also possible through a web server with an extra package and/or
> cgi.
>
> > Ps, the exact reason I couldn't use the samba server thru ssh was, that
> > even
> > though I followed the directions verbatim (that is sticking an entry in
my
> > LMHOSTS file and setting up the tunnel), windows could find the samba
> > server
>
> Odd. After you added the entry to lmhosts, did you also add the #PRE at
> the end to force preloading and then reboot?
> (Your mouse has moved. Would you like to reboot windows for these changes
> to take effect? #PRE is supposed to force preloading of name at boot.)
>
> In most cases, mods to lmhosts work "right away", but not always. Also,
> there is an order for name resolution that can be set in windows. You
> probably want to have it attempt reslotion through lmhosts first, then
> Master  Browser (or PDC/BDC), then WINS, and then rDNS/DNS. Verify your
> resolution order is properly configured for LMHOSTS resolution first.
>
> One easy way to test this, is make a name that points to the IP that has
> an underscore as part of it, and then from command.com, try to ping that
> name (the one with the underscore.) Since Underscore are a violation to
> FQDN, a WINS (through to DNS) and DNS/rDNS will fail and you will only be
> left with LMHOSTS and MasterBrowser (or PDC/BDC.)
>
> After you are certain that the name in lmhosts is being checked, make sure
> the name you set in LMHOSTS for the IP matches the machine's real NetBIOS
> name.
>
> I use WebDAV over SSL for most of my cross net "filesharing" stuff. This
> also permits you to give users a different username/password for WebDAV
> filesharing than you have in /etc/passwd. This permits me to feel a little
> better about using untrusted machine and risk exposure of some of my
> content when using WebDAV - while I would never use and untusted machine
> for ssh to a real user account.
>
> WebDAV can also work with quotas, but that really needs group quotas and
> introduces other restrictions, and limitations on file reading and
> security.
>
> Searches for "content management" may get you services that offer you what
> you want.
>
> My Favorite for a kind of file sharing:
> http://www.webdav.org/
> and with apache mod:
> http://www.webdav.org/mod_dav/
>
> Specific "Content Management" services: (search for more)
> http://freshmeat.net/projects/phpcms/?topic_id=92%2C96%2C243%2C90
> http://www.zope.com/
>
>
> HTH,
> -ME
>
>
>
> --
> -----BEGIN GEEK CODE BLOCK-----
> Version: 3.12
> GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$)
P+$>+++
> L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++
> t@-(++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z?
> ------END GEEK CODE BLOCK------
> decode: http://www.ebb.org/ungeek/ about:
http://www.geekcode.com/geek.html
>
>
> _______________________________________________
> vox-tech mailing list
> vox-tech@lists.lugod.org
> http://lists.lugod.org/mailman/listinfo/vox-tech
>
>