Re: Help needed with server setup at work
On Mon, 23 Apr 2007 20:22:05 -0700 Darren Spruell [EMAIL PROTECTED] wrote: On 4/23/07, Rico Secada [EMAIL PROTECTED] wrote: Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? Internet etiquette. If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. I must be using a retarded mail client then, I am using sylpheed. http://www.google.com/search?hl=enclient=firefox-arls=com.ubuntu%3Aen-US%3Aofficialq=netiquette+wrap+mail+72btnG=Search DS
Re: Help needed with server setup at work
If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. I must be using a retarded mail client then, I am using sylpheed. Which I don't call retarded. My 0,02 cents, ./Marian
Re: Help needed with server setup at work
On 4/24/07, Rico Secada [EMAIL PROTECTED] wrote: On Mon, 23 Apr 2007 20:22:05 -0700 Darren Spruell [EMAIL PROTECTED] wrote: On 4/23/07, Rico Secada [EMAIL PROTECTED] wrote: Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? Internet etiquette. If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. I must be using a retarded mail client then, I am using sylpheed. If the MUA itself isn't retarded, then that leaves only one other consideration (PEBKAC). http://sylpheeddoc.sourceforge.net/en/manual/manual-8.html DS
Help needed with server setup at work
Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? Best regards Rico [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc]
Re: Help needed with server setup at work
On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? This is a public mailing list. Trim your message at 72 columns. Meaning? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] mail.html specifically states not to do this, and posting them as an attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. However, I presume you came here looking for advice that actually pertains to your question. sshfs uses FUSE, which is at the moment Linux-only. It's also an interesting, but rather scary, contraption. Getting it installed might not be easy. (I say 'might' because I've never tried it; for all I know, all major distributions have a package and compile the relevant part into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. If the goal is to use SSH, you might want to take a look at ssh -w; I believe that will work for you, but read the docs first. As an alternative, consider switching to something with fixed port allocations (CIFS/SAMBA, AFS) and port forwarding. Finally, if confidentiality does not matter, consider authpf. However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. Thanks Joachim. Joachim -- TFMotD: amd (8) - automatically mount file systems -- Best and kind regards Rico Secada
Re: Help needed with server setup at work
On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? This is a public mailing list. Trim your message at 72 columns. Meaning? Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] mail.html specifically states not to do this, and posting them as an attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. Yes, you have: a new-style PGP signature is an attachment. However, I presume you came here looking for advice that actually pertains to your question. sshfs uses FUSE, which is at the moment Linux-only. It's also an interesting, but rather scary, contraption. Getting it installed might not be easy. (I say 'might' because I've never tried it; for all I know, all major distributions have a package and compile the relevant part into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. Okay, so there's a FreeBSD port now. Cool. Still, you can't access it from OpenBSD. I was just wondering if that is a problem. If the goal is to use SSH, you might want to take a look at ssh -w; I believe that will work for you, but read the docs first. As an alternative, consider switching to something with fixed port allocations (CIFS/SAMBA, AFS) and port forwarding. Finally, if confidentiality does not matter, consider authpf. However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. If you have a restrictive SSH setup (you might want to use sftp for the user's shell, or force them to use that command - see ForceCommand in sshd_setup(5), and you definitely want to disable port forwarding), I don't think you will have too many problems. Joachim
Re: Help needed with server setup at work
On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: This is a public mailing list. Trim your message at 72 columns. Meaning? The following line is as I received it. It is 401 characters wide. I have left it as is for your edification. Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. This line was also received. It is 471 characters wide. I have wrapped it. Using vim I only had to do a gqap. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] I have got no idea what this is about. I havent made any attachments. _somebody_ signed a post on this thread and instead of a signature the mail list server put a message that it was removed. Doug.
Re: Help needed with server setup at work
On Mon, 23 Apr 2007 19:43:53 -0400 Douglas Allan Tutty [EMAIL PROTECTED] wrote: On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: This is a public mailing list. Trim your message at 72 columns. Meaning? The following line is as I received it. It is 401 characters wide. I have left it as is for your edification. Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. This line was also received. It is 471 characters wide. I have wrapped it. Using vim I only had to do a gqap. I am sorry if I sound stupid, but I have never heard of this being a problem before :-) Has it something to do with people using console based mailreaders? The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] I have got no idea what this is about. I havent made any attachments. _somebody_ signed a post on this thread and instead of a signature the mail list server put a message that it was removed. Ok, that makes sense :-) Thanks. Doug.
Re: Help needed with server setup at work
On Tue, 24 Apr 2007 01:33:10 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote: On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper [EMAIL PROTECTED] wrote: On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: Hi I need some comments from you guys on using sshfs as a solution at work. I need to make some of our NFS servers available for employees at their homes (where they live). I have been looking at both IPSec together with VPN, but I really like SSH better. At debian mailinglist I got a suggestion about using sshfs and nothing else, I really love SSH, but are a bit worried about users being able to ssh in. With sshfs the workers can mount their home directories like with nfs. If userlands are setup chmod 700, and each user are in no groups but themselves, does this pose a security risk? This is a public mailing list. Trim your message at 72 columns. Meaning? Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? [demime 1.01d removed an attachment of type application/pgp-signature which had a name of signature.asc] mail.html specifically states not to do this, and posting them as an attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. Yes, you have: a new-style PGP signature is an attachment. I didn't know that, thank you for making me aware :-) However, I presume you came here looking for advice that actually pertains to your question. sshfs uses FUSE, which is at the moment Linux-only. It's also an interesting, but rather scary, contraption. Getting it installed might not be easy. (I say 'might' because I've never tried it; for all I know, all major distributions have a package and compile the relevant part into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. Okay, so there's a FreeBSD port now. Cool. Still, you can't access it from OpenBSD. I was just wondering if that is a problem. In our case no clients are gonna run OpenBSD, only the servers will run OpenBSD. If the goal is to use SSH, you might want to take a look at ssh -w; I believe that will work for you, but read the docs first. As an alternative, consider switching to something with fixed port allocations (CIFS/SAMBA, AFS) and port forwarding. Finally, if confidentiality does not matter, consider authpf. However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't safe, as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. If you have a restrictive SSH setup (you might want to use sftp for the user's shell, or force them to use that command - see ForceCommand in sshd_setup(5), and you definitely want to disable port forwarding), I don't think you will have too many problems. Thank you very much for you reply Joachim! I will look into that. Joachim
Re: Help needed with server setup at work
On 4/23/07, Rico Secada [EMAIL PROTECTED] wrote: Messages should look like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. 123456789012345678901234567890123456789012345678901234567890123456789012 Not like: Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat. Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in culpa qui officia deserunt mollit anim id est laborum. I already answered someone who also commented on this. I am not being rude, but why is that important? Internet etiquette. If you've never heard of it, chances are you've spent too much time in a stupid corporate messaging environment or using a retarded email client from a vendor that thinks they have to reinvent the conventions that electronic mail has followed for decades. http://www.google.com/search?hl=enclient=firefox-arls=com.ubuntu%3Aen-US%3Aofficialq=netiquette+wrap+mail+72btnG=Search DS