Kai Krakow <hurikha...@gmail.com> writes: > Am Sat, 29 Apr 2017 20:30:03 +0100 > schrieb lee <l...@yagibdah.de>: > >> Danny YUE <sheepd...@gmail.com> writes: >> >> > On 2017-04-25 14:29, lee <l...@yagibdah.de> wrote: >> >> Hi, >> >> >> >> since the usage of FTP seems to be declining, what is a replacement >> >> which is at least as good as FTP? >> >> >> >> I'm aware that there's webdav, but that's very awkward to use and >> >> missing features. >> > >> > What about sshfs? It allows you to mount a location that can be >> > accessed via ssh to your local file system, as if you are using >> > ssh. >> >> Doesn't that require ssh access? And how do you explain that to ppl >> finding it too difficult to use Filezilla? Is it available for >> Windoze? > > Both, sshfs and scp, require a full shell (that may be restricted but > that involves configuration overhead on the server side).
I wouldn't want them to have that. > You can use sftp (FTP wrapped into SSH), which is built into SSH. It > has native support in many Windows clients (most implementations use > PuTTY in the background). It also has the advantage that you can > easily restrict users on your system to SFTP-only with an easy > server-side configuration. >From what I've been reading, sftp is deprecated and has been replaced by ftp with TLS. >> > Also samba can be a replacement. I have a samba server on my OpenWRT >> > router and use mount.cifs to mount it... >> >> Does that work well, reliably and securely over internet connections? > > It supports encryption as transport security, and it supports kerberos > for secure authentication, the latter is not easy to setup in Linux, > but it should work with Windows clients out-of-the-box. > > But samba is a pretty complex daemon and thus offers a big attack > surface for hackers and bots. I'm not sure you want to expose this to > the internet without some sort of firewall in place to restrict access > to specific clients - and that probably wouldn't work for your scenario. At least it's a possibility. I don't even know if they have static IPs, though. > But you could offer access via OpenVPN and tunnel samba through that. I haven't been able yet to figure out what implications creating a VPN has. I understand it's supposed to connect networks through a secured tunnel, but what kind of access to the LAN does someone get who connects via VPN? Besides, VPN is extremely complicated and difficult to set up. I consider it an awful nightmare. Wireguard seems a lot easier. > By that time, you can as easily offer FTP, too, through the tunnel > only, as there should be no more security concerns now: It's encrypted > now. The ftp server already doesn't allow unencrypted connections. Now try to explain to ppl for whom Filezilla is too complicated how to set up a VPN connection and how to secure their LAN once they create the connection (if we could ever get that to work). I haven't been able to figure that out myself, and that is one of the main reasons why I do not have a VPN connection but use ssh instead. The only disadvantage is that I can't do RDP sessions with that --- I probably could and just don't know how to --- but things might be a lot easier if wireguard works. > OpenVPN also offers transparent compression which can be a big > plus for your scenario. Not really, a lot of data is images, usually JPEG, some ZIP files, some PDF. All that doesn't compress too well. > OpenVPN is not too difficult to setup, and the client is available for > all major OSes. And it's not too complicated to use: Open VPN > connection, then use your file transfer client as you're used to. Just > one simple extra step. I'm finding it a horrible nightmare, see above. It is the most difficult thing you could come up with. I haven't found any good documentation that explains it, the different types of it, how it works, what to use (apparently there are many different ways or something, some of which require a static IP on both ends, and they even give you different disadvantages in performance ...), how to protect the participants and all the complicated stuff involved. So far, I've managed to stay away from it, and I wouldn't know where to start. Of course, there is some documentation, but it is all confusing and no good. The routers even support it. In theory, it shouldn't be difficult to set up, but that's only theory. They do not have any documentation as to how to protect the connected networks from each other. I could probably get it to work, but I wouldn't know what I'm doing, and I don't like that. I admit that I don't really want to know how VPN works because it's merely an annoyance and not what I need. What's needed is a simple, encrypted connection between networks, and VPN is anything but that. Wireguard sounds really simple. Since I need to set up a VPN or VPN-like connection sooner than later, I'm considering using it. -- "Didn't work" is an error.
