On Tue, Apr 24, 2007 at 12:48:46AM +0200, Rico Secada wrote:
> On Tue, 24 Apr 2007 00:05:51 +0200
> Joachim Schipper <[EMAIL PROTECTED]> wrote:
>
> > On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote:
> > > Hi
> > >
> > > I need some comments from you guys on using sshfs as a solution at
> > > work.
> > >
> > > I need to make some of our NFS servers available for employees at
> > > their homes (where they live). I have been looking at both IPSec
> > > together with VPN, but I really like SSH better. At debian mailinglist
> > > I got a suggestion about using sshfs and nothing else, I really love
> > > SSH, but are a bit worried about users being able to ssh in. With
> > > sshfs the workers can mount their home directories like with nfs.
> > >
> > > If userlands are setup chmod 700, and each user are in no groups but
> > > themselves, does this pose a security risk?
> >
> > This is a public mailing list. Trim your message at 72 columns.
>
> Meaning?
Messages should look like:
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod
tempor incididunt ut labore et dolore magna aliqua. Ut enim ad minim
veniam, quis nostrud exercitation ullamco laboris nisi ut aliquip ex ea
commodo consequat. Duis aute irure dolor in reprehenderit in voluptate
velit esse cillum dolore eu fugiat nulla pariatur. Excepteur sint
occaecat cupidatat non proident, sunt in culpa qui officia deserunt
mollit anim id est laborum.
123456789012345678901234567890123456789012345678901234567890123456789012
Not like:
Lorem ipsum dolor sit amet, consectetur adipisicing elit, sed do eiusmod tempor
incididunt ut labore et dolore magna aliqua. Ut enim ad minim veniam, quis
nostrud exercitation ullamco laboris nisi ut aliquip ex ea commodo consequat.
Duis aute irure dolor in reprehenderit in voluptate velit esse cillum dolore eu
fugiat nulla pariatur. Excepteur sint occaecat cupidatat non proident, sunt in
culpa qui officia deserunt mollit anim id est laborum.
> > > [demime 1.01d removed an attachment of type application/pgp-signature
> > > which had a name of signature.asc]
> >
> > mail.html specifically states not to do this, and posting them as an
> > attachment is particularly useless.
>
> I have got no idea what this is about. I havent made any attachments.
Yes, you have: a new-style PGP signature is an attachment.
> > However, I presume you came here looking for advice that actually
> > pertains to your question.
> >
> > sshfs uses FUSE, which is at the moment Linux-only. It's also an
> > interesting, but rather scary, contraption. Getting it installed might
> > not be easy. (I say 'might' because I've never tried it; for all I know,
> > all major distributions have a package and compile the relevant part
> > into their stock kernels. Does anybody have more information?)
>
> Using OpenBSD as a server works perfectly. The server needs nothing
> more than SSH. About the client I have succesfully setup Debian with
> fuse and it works perfectly with OpenBSD serving. I also know that
> FreeBSD has a port for client installation. Fuse uses the sftp part of
> SSH. On Debian all it takes is installing the package and using
> modprobe. On FreeBSD it should be almost as easy and quick.
Okay, so there's a FreeBSD port now. Cool.
Still, you can't access it from OpenBSD. I was just wondering if that is
a problem.
> > If the goal is to use SSH, you might want to take a look at ssh -w; I
> > believe that will work for you, but read the docs first. As an
> > alternative, consider switching to something with fixed port
> > allocations (CIFS/SAMBA, AFS) and port forwarding.
> >
> > Finally, if confidentiality does not matter, consider authpf.
> >
> > However, the proper way to set up a VPN is to set up a VPN.
>
> The only consern I have is users snooping around because they are able
> to ssh in, besides that sshfs works like a charm and its so easy and
> quick to setup. I have combined scponly with the servers, and that
> works well too, but since scponly isn't "safe", as in a lot of work is
> done security wise, I would not want to run with that as a permanent
> solution. I trust OpenSSH over any VPN solution anyday, but SSH might
> cause a problem in other areas, hence the question.
If you have a restrictive SSH setup (you might want to use sftp for the
user's shell, or force them to use that command - see ForceCommand in
sshd_setup(5), and you definitely want to disable port forwarding), I
don't think you will have too many problems.
Joachim
