login
Search
Hi, I need some possible suggestions if I may asked to not setup, or have to setup WebDav on OpenBSD to allow users to do their web folder stuff. It can be setup with ftp for example to allow them to map a folder in their "network place" on XP for example, but then they can't do the stupid "save as" and just for that, they want to use the WebDav. However, then it need to allow write access via http and the full load of issues that could with that when combine with php, etc. I only allow ssh access and in very special case, I had accepted ftp from specific locations control via PF, but because of the stupid save as, they are screaming for WebDav, or mod_dav, witch I really would like to avoid totally. I just don't see the benefit worth the risk required to allow it. May be I am wrong and someone could in light me, witch I would very much appreciate, but again, may be there is an alternative using SSH that I do not know. I provided WinSCP years ago and it sure works well, plus I can control access via ssh with PF too, witch I would loose introducing WebDav. I hate all these users that can only work using a GUI like interface all the time and fell they need everything to be done via http. Anyone can provide me some ideas, or alternative here as I am running out of them and being view as the asshole that always refuse flexibility for security is fine, but may be there is something I can do to keep it safe and give the winers a bone. I hate the Microsoft centric bias users that care less for security, but would also be the first to scream should there be compromise too. Any suggestions here? Sorry for the somewhat off topic question, but I need suggestion if there is any. Best, Daniel.
On Thu, Jan 24, 2008 at 05:58:57PM -0500, Daniel Ouellet wrote: If you're considering a commercial product, http://www.sftpdrive.com If the product performs as it says, you shouldn't need to change anything on the web server.
Thanks, I appreciate your suggestions, but I will stick with solutions that I could see the code and that are open source. I got a few suggestions that might make sense so far. Thanks for your time in offering solutions however. Best, Daniel
If your interest is seeing the code, not being able to get it for free, then talk to the SftpDrive people; they're a down to earth group of guys, and are really great to work with, and for all I know, they might be perfectly open to letting you see the code. -- Systems Programmer, Principal Electrical & Computer Engineering The University of Arizona marti@arizona.edu
If using sftp with WinSCP is still an option, but you do not want users to
have SSH access, this can be achieved easily with sshd_config-settings
like:
# override default of no subsystems
Subsystem sftp /usr/libexec/sftp-server
Match Group sftp
X11Forwarding no
AllowTcpForwarding no
ForceCommand /usr/libexec/sftp-server
Not sure if this is fits your needs though.
-Urban
I can test this too. I know this is very ridiculous, but see there is lots of laziness I guess at play here, or total lack of understanding. If it was employee, they would be out the door for such a laziness. Over years of pounding, some finally use WinSCP, or Putty and that's great. Others, just are brain dead and are just browser users and anything not in the browser is to complicated for them. Like I had to setup the FTP to allow them to use their stupid explorer to connect to FTP using their browser as it was to much trouble for them to use an ftp, or better yet an sftp client! I know..... Then over time, even that, using FTP was to much trouble and they keep messing things up. How, I can't explain, I really can't figure out how they can do this, honest. I have no clue how someone can be that stupid. Then I had to explain how to setup the "My Network Places" in Windows for them to be able to use their Window Explorer to copy files back and forth using their FTP underlying process supported here and that got them to shut up for a while. The problem is that they complain as they can't use their stupid Word for example to edit a file remotely on the server because it doesn't map to a drive letter in Windows and as such for example, they can't do "save as". See how stupid this is! So, in the end is they sure want all the security, but no difference for them and they sure are not welling to learn anything new as they have done the same things for years and can't accept why it would need to be different. Then I look at setting up a tunnel between the various office and the remote servers, but then, I hit the wall with the IT internal department here. I am just stuck with this kind of stupidity and try to find all kind of different solutions that might shut them off for good and each time I thought I was closer to that, but then not. And obviously did I say they don't want to pay for special software, or add network stuff in the ...
Hello Daniel, I believe it should be possible to set up samba-over-ssh. I mean samba listening localhost only on the server and putty (www.chiark.greenend.org.uk/~sgtatham/putty/) with port forwarding on clients. You can also use samba-over-ipsec. IPSec is not less secure than ssh and gives you more flexibility. -- Best regards, Boris mailto:boris@twopoint.com
Has anyone figured out how to save PuTTY tunnel settings (whether for samba or anything else); so that they can be easily dropped onto multiple systems without having to do manual setup on each one?
Have not tried tunnel settings, but I DO know that you can copy any session configurations by exporting the registry keys. Lee ================================================ Leland V. Lammert lvl@omnitec.net Chief Scientist Omnitec Corporation Network/Internet Consultants www.omnitec.net ================================================
I can confirm that the port forwarding settings are stored in the registry. It is easy enough to write a quick script to add those registry entries into the reg. of a new computer. Look in the PuTTY FAQ, I think there is an example of how to do it in there. -- Tim Donahue ---------------------------------------------------------------- This message was sent using IMP, the Internet Messaging Program.
Thanks, I don't think they would go for that. Some already have WinSCP like I explain and they don't like having to save locally then transfer over, or use the built-in editor for small changes. Yea I know.... So if they can't do that, getting them to setup putty, witch some also already have may not fly. However, I will try that to see the results as I am curious about that idea.
Hi Daniel, I use Zope on OpenBSD and on the same server, I have Samba as well. The Zope Server is set up for WebDav and some people use Windows to read and write from the Zope store using WebDav, some just use Samba shares, and others use https using OpenBSD httpd and mod_rewrite from port 443 to localhost:zopeport. Since users look at the WebDav as a "network place" they don't seem to mind having to move files from their Samba shares to the WebDav location and vice-versa. Not sure whether this is appropriate in your environment but it has worked well for me. HTH, Vijay -- Vijay Sankar, M.Eng., P.Eng. President & CEO ForeTell Technologies Limited 59 Flamingo Avenue, Winnipeg, MB Canada R3J 0X6 Phone: +1 204 885 9535, E-Mail: vsankar@foretell.ca
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I don't know if this will help since it'll involve the windows users having to install the M$ loopback adapter on their boxes & configure it. It's what I use on my network for the windows boxes to access the OpenBSD boxes via ssh. And, all windows users are using cygwin, not putty or some other gui. In my case, I only allow passwordless logins using rsa keys & authorized_keys files instead. If you allow password logins, it wouldn't be a problem. No idea how many users you have, so I guess it could turn into an admin's nightmare if you had to go into each user's $HOME/.ssh & do the setup there. I guess you could send out a notice & give them a deadline to ssh in & set it up themselves. But, we're talking windows users here. ;) Anyway, here's the link for setting up samba over ssh: http://assela.pathirana.net/Samba_over_SSH_--_Opening_Windows_to_ UNIX_safely_and_reliably That's all one line above. I dropped part of it down for the 72 character rule. As the article shows, instead of having to open a cygwin prompt, then issue the tunneling command, the whole thing can be automated with a script & a windows service started on boot. When the user clicks start, run, types in the IP address & enter, explorer will open showing them their samba shares. So, there's the gui they crave. ;) Hope this helps some. -- Denny White All messages scanned by ClamAssassin http://jameslick.com/clamassassin/ =============================================================== GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A =============================================================== iD8DBQFHnuXfy0Ty5RZE55oRAumIAJ9jTz2OQKDRW4Ysw6dsg8aD9zCRDwCfePN6 9Sx/q3U6QvSVXEFJe69CGUw= =6JqB -----END PGP SIGNATURE-----
That is interesting to read and I will sure have a look at it, but like you said, these are Windows users here. (;> It may never fly, but I am interested in looking into this however. Thanks for sharing it! Best, Daniel
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Glad to help if I can. One caveat to warn you about the windows boxes, Daniel. I really had a hair pulling time on one & it turned out to be because it had M$'s tools for unix administration on it. It wasn't needed since cygwin was on there. I know it was running nfs client services which also wasn't needed, left over from before samba was totally incorporated across the network, and I'm not sure what else, so there was undoubtedly something there conflicting with cygrunsrv. Once the unix admin tools were uninstalled, and the box rebooted & the tunnel established, when the clicking start-run- typing in IP-enter crap was all done, the hookup was really fast. I'm sure if you wanted you could reverse that & get rid of cygwin & keep the unix tools running it's sshd as a service instead, but I'm used to cygwin & actually kind of like it. It's helped me out quite a bit in the past. -- Denny White All messages scanned by ClamAssassin http://jameslick.com/clamassassin/ =============================================================== GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A =============================================================== iD8DBQFHnv68y0Ty5RZE55oRAraaAKCLo3U3cM8KqX/x+/+l9XxZNxFXFQCgufRB lorarlKznbBs5/PIhc9TMM4= =f238 -----END PGP SIGNATURE-----
while this is a way if you _must_ use SMB/CIFS, I'm not too sure if a combination of samba, cygwin (which users won't bother to update once it's installed so no security fixes) and MS loopback adapter (for some client-breaks-their-own-network-and-shouts-at-you fun) is really the simplest and most secure setup.
If you're not real concerned about any particular packages, cygwin is really easy to update, just as easy as microsloth, just a few clicks, but yeah, good point. There are probably much better ways to do it. I just threw it in the mix as a point of interest. OTOH, I haven't had any network breakage from the adapter, but I'm sure it can happen. Luckily for me & the few computers on this network, it works really well so far. I haven't had any breakage or problems since I uninstalled the m$ tools for unix off the one box. -- Denny White All messages scanned by ClamAssassin http://jameslick.com/clamassassin/ =============================================================== GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A =============================================================== iD8DBQFHn1Hdy0Ty5RZE55oRApCVAJ4gKJozPeNqUqmbWTalvUrwtlQtiACgudqA VderkGiSPmhKohKsI/MKdh0= =6nl7 -----END PGP SIGNATURE-----
No, it's not easy or fun for sure and as I pointed out, I sure wouldn't, or couldn't do that here, but I am interested to test it just for my own knowledge. (;> A little bit more understanding never hurt. (;> After all isn't Windows users mouse clicker expert only? (;> As for MCSE, I guess specialist in GUI choice selections, but if the choice is not there.... Well totally lost. Yes there is a very few exceptions, but doing this setup, you bet it will hurt more then help and as there isn't a GUI screen for them to select from, well.... You know where it will end for sure. Best and thanks for all. Daniel
Jumping in a little late... I use Davenport: -> http://davenport.sourceforge.net/ It looks old and unmaintained but that's because it stabilized years ago. I am working on a port of it. It is a WebDAV-to-SMB wrapper in Java (don't laugh; it works well). We already had a Samba installation running so this was an easy way to move people to https webdav, which windoze and mac os x have support for out-of-the-box. Once setup it's practically zero-maintenance.
