On Tue, 24 Apr 2007 01:33:10 +0200 Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: > > On Tue, 24 Apr 2007 00:05:51 +0200 > > Joachim Schipper <[EMAIL PROTECTED]> wrote: > > > > > On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: > > > > Hi > > > > > > > > I need some comments from you guys on using sshfs as a solution at > > > > work. > > > > > > > > I need to make some of our NFS servers available for employees at > > > > their homes (where they live). I have been looking at both IPSec > > > > together with VPN, but I really like SSH better. At debian mailinglist > > > > I got a suggestion about using sshfs and nothing else, I really love > > > > SSH, but are a bit worried about users being able to ssh in. With > > > > sshfs the workers can mount their home directories like with nfs. > > > > > > > > If userlands are setup chmod 700, and each user are in no groups but > > > > themselves, does this pose a security risk? > > > > > > This is a public mailing list. Trim your message at 72 columns. > > > > Meaning? > > Messages should look like: > > Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod > tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim > veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea > commodo consequat. Duis aute irure dolor in reprehenderit in voluptate > velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint > occaecat cupidatat non proident, sunt in culpa qui officia deserunt > mollit anim id est laborum. > 123456789012345678901234567890123456789012345678901234567890123456789012 > > Not like: > > Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod > tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, > quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo > consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse > cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non > proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? > > > > [demime 1.01d removed an attachment of type application/pgp-signature > > > > which had a name of signature.asc] > > > > > > mail.html specifically states not to do this, and posting them as an > > > attachment is particularly useless. > > > > I have got no idea what this is about. I havent made any attachments. > > Yes, you have: a new-style PGP signature is an attachment. I didn't know that, thank you for making me aware :-) > > > However, I presume you came here looking for advice that actually > > > pertains to your question. > > > > > > sshfs uses FUSE, which is at the moment Linux-only. It's also an > > > interesting, but rather scary, contraption. Getting it installed might > > > not be easy. (I say 'might' because I've never tried it; for all I know, > > > all major distributions have a package and compile the relevant part > > > into their stock kernels. Does anybody have more information?) > > > > Using OpenBSD as a server works perfectly. The server needs nothing > > more than SSH. About the client I have succesfully setup Debian with > > fuse and it works perfectly with OpenBSD serving. I also know that > > FreeBSD has a port for client installation. Fuse uses the sftp part of > > SSH. On Debian all it takes is installing the package and using > > modprobe. On FreeBSD it should be almost as easy and quick. > > Okay, so there's a FreeBSD port now. Cool. > > Still, you can't access it from OpenBSD. I was just wondering if that is > a problem. In our case no clients are gonna run OpenBSD, only the servers will run OpenBSD. > > > If the goal is to use SSH, you might want to take a look at ssh -w; I > > > believe that will work for you, but read the docs first. As an > > > alternative, consider switching to something with fixed port > > > allocations (CIFS/SAMBA, AFS) and port forwarding. > > > > > > Finally, if confidentiality does not matter, consider authpf. > > > > > > However, the proper way to set up a VPN is to set up a VPN. > > > > The only consern I have is users snooping around because they are able > > to ssh in, besides that sshfs works like a charm and its so easy and > > quick to setup. I have combined scponly with the servers, and that > > works well too, but since scponly isn't "safe", as in a lot of work is > > done security wise, I would not want to run with that as a permanent > > solution. I trust OpenSSH over any VPN solution anyday, but SSH might > > cause a problem in other areas, hence the question. > > If you have a restrictive SSH setup (you might want to use sftp for the > user's shell, or force them to use that command - see ForceCommand in > sshd_setup(5), and you definitely want to disable port forwarding), I > don't think you will have too many problems. Thank you very much for you reply Joachim! I will look into that. > Joachim
