Sounds neat, I'm going to read the docs, to get an idea Thanks Jay ----- Original Message ----- From: "ME" <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Wednesday, March 12, 2003 12:29 AM Subject: Re: [vox-tech] Secure file serving?
> Jay Strauss said: > > I gotta question. I want to have a secure file server. > > Me too! ;-) > > > I set up a samba server at work. I can see the samba server from my win2k > > box when I'm on my work network. According to various docs I've read, I > > should be able to SSH to my work server from home, do a little ssh > > tunneling > > magic and be able to see the samba server from home (across the internet). > > Unfortunately, I've had no joy, and from what I've read the performance > > would be disappointing too (this food sucks, and the portions are small > > too). > > I have seen an ssh tunnel setup for passing smb/samba to/from linux boxes, > but not between Windows boxes without a *n*x box as part of the mix. > > As for Windows to Linux box, I know some ssh clients permit port > forwarding, but, I've never tried this with samba traffic (TCP ports > 137,138,139) > > > I'd like to have a file server that I can get to from home, work, or when > > at > > a client's site. I'd like it to be something like SMB so that it will > > work > > well with all my M$ apps and provide file locking and such so that me and > > my > > work mates don't overwrite each other (as opposed to having a sftp client > > (gui or not)). > > Well, have you looked into WebDAV over SSL? I think it does file locking, > but access through it can be a bit tricky when doing edits to the files in > the "share". (The file locks are not OS based, but dealt with by the > WebDAV system - meaning, if everyone edits through WebDAV, then locks are > properly handled for all users. However, if most users use dav, but some > edit these same files in a shell on the file server or via other > filesharing systems, locking can get busted.) > > A strong advantage of WebDAV over SSL is encryption is "there" for data > and authentication, and it uses the existing web service (a big plus if > you have a web server on thebox anyway.) > > A disadvantage is it *can* be slow. However, there are clients for Linux, > MacOS 9, while Mac OS X and Windows 98 (and later) have it built-in, and > windows 95 has a free upgrade to permit this to work. > > (It is often slower than a genuine file server like NFS/Samba/Netatalk, > but for large files, the speeds for all of these start to approach a > similar optimum value on a per connection evaluation.) > > Often, I will copy a WebDav document to a local box, edit it locally, and > then copy it back. However, during the copy and "opening" the file is > locked so long as all access to the file is through DAV. (Not a local FS > lock, but a DAV-protocol based lock.) > > > What are my options? > > Not many without an adaquate description of "secure". :-/ > > > What I think would be really neat (i don't think it exists), is a https > > web > > page I could go to, authenticate, and magically I could then see some > > common/shared file systems, and be able to use if from my normal directory > > structure (ie. thru windows explorer or from unix "ls"), so that I could > > still use it while on a security conscience client site. > > That is kind-of what WebDAV is about. It uses a web server (usual > implementation) to push files to/from the server all over port 443 (ssl > default) or 80 (not suggested for security reasons.) > > However, there are also content management systems. This question came up > before, and I think "zope" was suggested. There are others, but I dont > remember what they were. (sorry, I though this questions was answered on > the liste before, and the answer following mine discussed another option > that was also possible through a web server with an extra package and/or > cgi. > > > Ps, the exact reason I couldn't use the samba server thru ssh was, that > > even > > though I followed the directions verbatim (that is sticking an entry in my > > LMHOSTS file and setting up the tunnel), windows could find the samba > > server > > Odd. After you added the entry to lmhosts, did you also add the #PRE at > the end to force preloading and then reboot? > (Your mouse has moved. Would you like to reboot windows for these changes > to take effect? #PRE is supposed to force preloading of name at boot.) > > In most cases, mods to lmhosts work "right away", but not always. Also, > there is an order for name resolution that can be set in windows. You > probably want to have it attempt reslotion through lmhosts first, then > Master Browser (or PDC/BDC), then WINS, and then rDNS/DNS. Verify your > resolution order is properly configured for LMHOSTS resolution first. > > One easy way to test this, is make a name that points to the IP that has > an underscore as part of it, and then from command.com, try to ping that > name (the one with the underscore.) Since Underscore are a violation to > FQDN, a WINS (through to DNS) and DNS/rDNS will fail and you will only be > left with LMHOSTS and MasterBrowser (or PDC/BDC.) > > After you are certain that the name in lmhosts is being checked, make sure > the name you set in LMHOSTS for the IP matches the machine's real NetBIOS > name. > > I use WebDAV over SSL for most of my cross net "filesharing" stuff. This > also permits you to give users a different username/password for WebDAV > filesharing than you have in /etc/passwd. This permits me to feel a little > better about using untrusted machine and risk exposure of some of my > content when using WebDAV - while I would never use and untusted machine > for ssh to a real user account. > > WebDAV can also work with quotas, but that really needs group quotas and > introduces other restrictions, and limitations on file reading and > security. > > Searches for "content management" may get you services that offer you what > you want. > > My Favorite for a kind of file sharing: > http://www.webdav.org/ > and with apache mod: > http://www.webdav.org/mod_dav/ > > Specific "Content Management" services: (search for more) > http://freshmeat.net/projects/phpcms/?topic_id=92%2C96%2C243%2C90 > http://www.zope.com/ > > > HTH, > -ME > > > > -- > -----BEGIN GEEK CODE BLOCK----- > Version: 3.12 > GCS/CM$/IT$/LS$/S/O$ !d--(++) !s !a+++(-----) C++$(++++) U++++$(+$) P+$>+++ > L+++$(++) E W+++$(+) N+ o K w+$>++>+++ O-@ M+$ V-$>- !PS !PE Y+ PGP++ > [EMAIL PROTECTED](++) 5+@ X@ R- tv- b++ DI+++ D+ G--@ e+>++>++++ h(++)>+ r*>? z? > ------END GEEK CODE BLOCK------ > decode: http://www.ebb.org/ungeek/ about: http://www.geekcode.com/geek.html > > > _______________________________________________ > vox-tech mailing list > [EMAIL PROTECTED] > http://lists.lugod.org/mailman/listinfo/vox-tech > > _______________________________________________ vox-tech mailing list [EMAIL PROTECTED] http://lists.lugod.org/mailman/listinfo/vox-tech
