Duke,

On Wed, 11 Sep 2002 15:16:37 -0400 you wrote:

> [This was originally posted to the LRP mailing list, where I was spat upon
> :]
> 
> I'm running LRP, more exactly Dachstein (thx for all your work Charles!).
> I've been running LRP for many a year and everything  works great.  What I
> need is an idea.  This may be a bit OT, but I'm looking for advice from
> someone who's used LRP or BusyBox extensively.

Not sure I qualify, but have a suggestion to expand on your ssh idea
anyhow. :)

> Here's the problem:
> 
> I've opened samba ports for my static IP @ home, and it works great.
> However, a co-worker is not as fortunate to have a static IP.  How do I
> dynamically punch a hole for him (ports 137-139, 445) so he can access our
> samba server too?

Just for the record, even with source filtering, SMB over untrusted
networks is insecure.  (Sorry, I couldn't continue in good conscious
without stating that, even though it's probably obvious to most
everyone here.)  Obviously it's more difficult to exploit with
filtering based on source address.  VPN-based access is the (more)
secure access mechanism.

> The most straightforward solution I could find is for him
> to ssh into the LRP box and open the ports himself (...and then close
> them!).  This could be automated via a script (i.e. "/usr/bin/opensesame
> 1.2.3.4").  However, this is a bit of a pain and for users not as computer
> literate as my co-worker it would not even be an option.

If you were to use the .ssh/rc file or "command" option in a
.ssh/authorization (for key-based authentication) and the
SSH_CLIENT environment veriable, you could automate this pretty
far...

Set command="/usr/bin/toggle_smb_access" in .ssh/authorization
(tested) or run it and then exit from $HOME/.ssh/rc (not tested,
but seems viable from reading sshd manpage).  toggle_smb_access
could be written so that it looks up $SSH_CLIENT in a simple data
file.  If it does not find $SSH_CLIENT, it would run the
appropriate ipchains commands to allow access and update the data
file.

If $SSH_CLIENT is already in the data file, run a different set
of ipchains commands to disable access.  Have the script echo
something like "Access enabled." or "Access disabled.",
respectively, after it finished executing so the users can see
confirmation of the state change.

Then have users run a plink.exe[1] one-liner (if they're using
Win32):

  plink.exe [EMAIL PROTECTED]

Use a desktop shortcut on their desktop if you want to make it
easy for them.

I didn't include all the gory details, but that should be enough
to get you going if you decide to use the automated ssh approach.
VPN access would definitely be more secure though.

HTH,
Brad

[1] http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

> Has anyone run
> into this before, what creative solutions have you found?  Is there a
> de-facto way you guys do this sort of thang?
>
> Thx


-------------------------------------------------------
In remembrance
www.osdn.com/911/
------------------------------------------------------------------------
leaf-user mailing list: [EMAIL PROTECTED]
https://lists.sourceforge.net/lists/listinfo/leaf-user
SR FAQ: http://leaf-project.org/pub/doc/docmanager/docid_1891.html

Reply via email to