Jonas, thank you for taking the efford of summarizing the thread from the norwegian list.
<sarcasm and annoyance> i read it partly but i did not get the impression that people really cared for input from other (english speaking) people and the competence level was not above average all the time, either. I wondered why the discussion was conducted on that list in the first place, and concluded it was more for entertainment and chit-chat because people would *of cause* not want to be rude by excluding anyone from the discussion by using "private" languages. </sarcasm and annoyance> * Jonas Smedegaard ([EMAIL PROTECTED]) [040309 02:36]: > ~ 2d) Login securely, and tunnel X communication securely. With Lessdisks > this is done by the script sdm using SSH. With lessdisks 4 (not yet > ackaged for Debian) it seems to be also somehow possible (but only > optional?) using SSH. > > ~ 2e) If access is needed from local client to personal files on server > (e.g. when running some applications locally) do it securely. Lessdisks > uses a Debian chroot so any Debian-supported secure filesystem can be > used. Simplest to setup secure filesystems seems to be SFS and > NFS-over-SSH[6]. both 2d and 2e are rather fragile tunnels. ssh is not meant to be used for this kind of job. ipsec is the right tool for the job and is in the debian kernel for some time. with that one can tunnel traffic nicely. cyphers like blowfish or AES can be used even on lowend machines without performance hit. if the servers need to encrypt larger ammounts of data (high traffic volume, many clients) it can help a lot to utilize hardware random number generators. sometimes those are integrated into the chipset and are highly costeffectiv that way. generally servers are much more vulnerable when RPC and the portmapper are used. this is an invitation for hacking and penetration. an other filesystem then NFS would be a long term and more robust solution. AFS supports kerberos and strong encription/hashing, but has some license issues and is non-trivial to set up (it is not in the (debian) kernel either). Kurt told me yesterday that Chris H�bsch of AFS fame would be happy to help us getting it integrated. I propose to investigate that further.
