Topic: Help with SFTP

[mmccarn]

I use DAV to get what you want (encrypted remote access to ibays): http://wiki.contribs.org/DAV

There are some oddities about how the authentication works, see Bug 4564 - I don't know if these have been addressed in the contrib itself.

[Stefano]

tdbsoft :
if you are interested, I've just built openssh5.3p1 rpms for centos 4.7

[Brenno]

So, I'm jumping into this thread a little late, but hopefully on point.

We have hired a web developer to produce some content for us that will be hosted on our 7.4 machine.  They need access to an ibay in order to deposit their work (and ongoing access for maintenance/updates).

In reading the best way to allow access, I see many warnings about using FTP due to the plain text transmission of credentials.  sFTP is encouraged, yet the wiki articles imply a security risk in enabling Remote Access via SSH.  VPN access is mentioned as an alternative here, but as tbdsoft points out, this is a little dicey as this web developer would have access not only to the SME server, where specific permissions will govern which files/folders are accessible, but will also have access to all IP nodes behind the SME server (we're running in server/gateway).

So... forgive my ignorance because I'm really not a guru at this, but what is the best way to grant an outside user access to a specific ibay? Or am I in a position of picking the lesser of a few evils?

[janet]

Brenno

sFTP is encouraged, yet the wiki articles imply a security risk in enabling Remote Access via SSH.

AFAIK sftp and ssh are different. I'm not aware of any security issues with ssh. You can ssh (using Putty) as a user rather than root and be very limited in what you can do/access, as determined by ssh access permissions granted to the user (seperate permission model than server manager groups). You can use the scp command to copy.


 

VPN access ..... is a little dicey ..... where specific permissions will govern which files/folders are accessible, but will also have access to all IP nodes behind the SME server

The permission model is governed by Group membership, the use of which should be standard in all sme installations. When correctly setup, a VPN user would have NO access to ibays on the server unless or until they are made a member of the Group that owns the ibay. If you wish to limit access to one ibay for uploading files for a specific website, then you create a unique Group that ONLY your web developer is a member of. They and admin will be the only people who can access that ibay via samba.
Re access to all other hosts (IP's) on the network, this would usually be limited by domain membership. All host access would only be granted to users who have logged into the domain, and basic VPN access does not log a user into the domain. Again a VPN user cannot access hosts(IP's) behind sme unless they have permission to do so.
Typically a VPN user would be a trusted user as VPN access needs to be enabled on a per user basis, they need to firstly be a sme user (with limited access permissions if required), but VPN access needs to be enabled too.

Re giving a user access to an ibay, I see no problem with VPN on a system configured correctly.

You could also use ssh/Putty or WinSCP and login as a user with limited access permissions, which both use the ssh protocol which is known to be secure.

With sftp the ability to see folders is somewhat irrelevant if you don't have permission to access them. There is a suggestion made to use a newer openssh rpm which may fix the chroot jail issue and therefore resolve this problem.

You can use WebDAV as suggested with it's potential bugs.

[Brenno]

Mary - thanks for your input.  I did some brainstorming...

I think what I've settled on is giving the user VPN access (since they already have to have a valid account on the SME box) and then having them use a standard FTP client through the VPN tunnel (via internal IP of the server, which will be reachable once the VPN is established) and using the sme_remoteuseraccess contrib to sandbox or jail the user to the specific ibay in question.

This should limit the amount of access they have to the SME box while also limiting the amount of changes I have to make to the remote access settings in server-manager.  Additionally, since the user will be connected via VPN, they'll essentially be on the local network and I can turn off FTP access from outside networks, which is a gain.  I guess I'll think of a way to limit their ability to snoop about in the network, though I imagine they'd not risk the intrusion for fear of reprisal (though I understand potential risks may exist due to situations out of the user's control, such as viruses or malware which may probe the network unbeknowst to the user).

Does this sound reasonable?  Any advice?

[tdbsoft]

Brenno

AFAIK sftp and ssh are different. I'm not aware of any security issues with ssh. You can ssh (using Putty) as a user rather than root and be very limited in what you can do/access, as determined by ssh access permissions granted to the user (seperate permission model than server manager groups). You can use the scp command to copy.

ssh works well and security is not a issue.  Webshare works well but the backup program we have chosen needs a mapped drive or sftp.  sftp would be perfect unfortunately not ready yet.  Investigating using VPN with security tunneling as suggested by Mary as that may work or alternately may need to setup on a separate Linux PC with sftp using Ubuntu, Centos, Red hat etc.

 
The permission model is governed by Group membership, the use of which should be standard in all sme installations. When correctly setup, a VPN user would have NO access to ibays on the server unless or until they are made a member of the Group that owns the ibay. If you wish to limit access to one ibay for uploading files for a specific website, then you create a unique Group that ONLY your web developer is a member of. They and admin will be the only people who can access that ibay via samba.
Re access to all other hosts (IP's) on the network, this would usually be limited by domain membership. All host access would only be granted to users who have logged into the domain, and basic VPN access does not log a user into the domain. Again a VPN user cannot access hosts(IP's) behind sme unless they have permission to do so.
Typically a VPN user would be a trusted user as VPN access needs to be enabled on a per user basis, they need to firstly be a sme user (with limited access permissions if required), but VPN access needs to be enabled too.

Re giving a user access to an ibay, I see no problem with VPN on a system configured correctly.

You could also use ssh/Putty or WinSCP and login as a user with limited access permissions, which both use the ssh protocol which is known to be secure.

With sftp the ability to see folders is somewhat irrelevant if you don't have permission to access them. There is a suggestion made to use a newer openssh rpm which may fix the chroot jail issue and therefore resolve this problem.

You can use WebDAV as suggested with it's potential bugs.

[tdbsoft]

tdbsoft :
if you are interested, I've just built openssh5.3p1 rpms for centos 4.7

Yes please, could you post or email.

[janet]

Brenno

There is no need to use the added layer of ftp & sandboxing complexity inside the network unless you prefer the "ftp browser" interface. You can leave both external or internal ftp disabled.

Just establish the VPN connection and map a drive letter to the ibay in question via a small batch file, see
http://wiki.contribs.org/VPN_practical_tips#Establishing_connections_.26_drive_mapping
or connect directly to the drive via My Network Places \\servername\ibayname.
Access will have been allowed/limited in server manager via Group membership, and then use Windows Explorer to copy the files to the ibay/html folder. Couldn't be easier.

[Stefano]

Yes please, could you post or email.

please follow up here;
you'll find the src.rpm to be compiled on a test machine..
actually this feature needs modifications to SME's dir permission so it's dangerous