[ale] SMB options

Joe Sechman jsechman at bellsouth.net
Sun Jan 11 22:13:55 EST 2004


Yeah, the command line tool isn't something I advertise, it's just 
another option...99% of the administrative overhead / user training has 
to do with the RSA public key management and telling the users how to 
generate their private keys and send their public key to you (not to 
mention comparing the host key fingerprint) which can be nightmarish.  
But, you could just allow normal SSH password authentication (they still 
have to manage passwords and get connection info for FTP or SMB, right?) 
and run WinSCP on top of SSH ... just likeWS_FTP for FTP, only more 
secure.  The only part I really had to come to terms with was depending 
on WinSCP and distributing it to our users - which you may or may not 
feel comfortable with. Anyway, good luck, hope you find your solution soon!

Joe

David Hamm wrote:

>I'm sorry but my clients wouldn't accept using a command line tool to download 
>files.  Sure I can distribute WinSCP and write a script that would write a 
>batch file and email it to the user so they could download the files.  But, 
>full file management is a necessity.  And training the user isn't realistic 
>turnover is high enough that retraining would be frequent.
>
>Thanks for your help.
>
>
>On Sunday 11 January 2004 11:36 am, Joe Sechman wrote:
>  
>
>>SSH is the way to go...I use a chroot'd jail environment for upload and
>>only permit RSA PKI authentication for secure copy (SCP) upload.  Since
>>most of our users are mere mortals, I advise WinSCP as the winX client
>>software (not sure if there's a GNU equivalent), but the savvys usually
>>use the SCP command line tools.  Admittedly, it's a bit of
>>administrative overhead, but at least I get some shuteye :0)  This is
>>also good because the savvys have a dummy login shell with only the
>>commands necessary for file transfer (cp, rm, mkdir, mv, etc.....but NO
>>su).  Here are some references:
>>
>>Jailchroot project
>>http://www.jmcresearch.com/projects/jail/
>>
>>WinSCP
>>http://winscp.sourceforge.net/eng/
>>
>>and my favorite book of all time (SSH Definitive Guide):
>>http://www.bookpool.com/.x/odr44xorc0/sm/0596000111
>>
>>-Cheers,
>>Joe Sechman
>>
>>    
>>
>>>David Hamm wrote:
>>>      
>>>
>>>>Hello,
>>>>
>>>>I have an FTP server sittting on the Internet.  One group of users
>>>>uploads files via FTP the other group downloads those files via SMB.
>>>>Securing SMB communications in most cases is handeled by listing the
>>>>SMB users's IP address in an IPTables rule with a -j ACCEPT.  But
>>>>recently I gained an SMB user an ALLTel's network and ALLTel blocks
>>>>port 135.  The only options I can come up with is eithher FreeSwan or
>>>>PopTop and from recent experiences I'm not excited about using
>>>>either.  I wonder if I could run SMB on another port? Under Linux I
>>>>don't see a problem but the Windows workstations mounting the share
>>>>can't be modified since they also participate in an SMB based LAN.
>>>>Any suggestions are welcomed.
>>>>        
>>>>
>>>Personally, I think you're absolutely insane to be permitting Windows
>>>file sharing over the internet.  You're just asking for trouble.
>>>
>>>You should find a different solution. What about ssh?
>>>      
>>>
>>_______________________________________________
>>Ale mailing list
>>Ale at ale.org
>>http://www.ale.org/mailman/listinfo/ale
>>    
>>
>
>_______________________________________________
>Ale mailing list
>Ale at ale.org
>http://www.ale.org/mailman/listinfo/ale
>
>  
>



More information about the Ale mailing list