Duke,
On Wed, 11 Sep 2002 15:16:37 -0400 you wrote: > [This was originally posted to the LRP mailing list, where I was spat upon > :] > > I'm running LRP, more exactly Dachstein (thx for all your work Charles!). > I've been running LRP for many a year and everything works great. What I > need is an idea. This may be a bit OT, but I'm looking for advice from > someone who's used LRP or BusyBox extensively. Not sure I qualify, but have a suggestion to expand on your ssh idea anyhow. :) > Here's the problem: > > I've opened samba ports for my static IP @ home, and it works great. > However, a co-worker is not as fortunate to have a static IP. How do I > dynamically punch a hole for him (ports 137-139, 445) so he can access our > samba server too? Just for the record, even with source filtering, SMB over untrusted networks is insecure. (Sorry, I couldn't continue in good conscious without stating that, even though it's probably obvious to most everyone here.) Obviously it's more difficult to exploit with filtering based on source address. VPN-based access is the (more) secure access mechanism. > The most straightforward solution I could find is for him > to ssh into the LRP box and open the ports himself (...and then close > them!). This could be automated via a script (i.e. "/usr/bin/opensesame > 1.2.3.4"). However, this is a bit of a pain and for users not as computer > literate as my co-worker it would not even be an option. If you were to use the .ssh/rc file or "command" option in a .ssh/authorization (for key-based authentication) and the SSH_CLIENT environment veriable, you could automate this pretty far... Set command="/usr/bin/toggle_smb_access" in .ssh/authorization (tested) or run it and then exit from $HOME/.ssh/rc (not tested, but seems viable from reading sshd manpage). toggle_smb_access could be written so that it looks up $SSH_CLIENT in a simple data file. If it does not find $SSH_CLIENT, it would run the appropriate ipchains commands to allow access and update the data file. If $SSH_CLIENT is already in the data file, run a different set of ipchains commands to disable access. Have the script echo something like "Access enabled." or "Access disabled.", respectively, after it finished executing so the users can see confirmation of the state change. Then have users run a plink.exe[1] one-liner (if they're using Win32): plink.exe [EMAIL PROTECTED] Use a desktop shortcut on their desktop if you want to make it easy for them. I didn't include all the gory details, but that should be enough to get you going if you decide to use the automated ssh approach. VPN access would definitely be more secure though. HTH, Brad [1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html > Has anyone run > into this before, what creative solutions have you found? Is there a > de-facto way you guys do this sort of thang? > > Thx ------------------------------------------------------- In remembrance www.osdn.com/911/ ------------------------------------------------------------------------ leaf-user mailing list: [EMAIL PROTECTED] https://lists.sourceforge.net/lists/listinfo/leaf-user SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html