Topic: User/group access management

[Dave Pilcher]

Hi,

Looks like an excellent product (played briefly) but looks weak in terms of granting user/group access to specific services.

For instance you can grant access to a Group to the i-bays (although only one group!), but I'm after real flexibility... for instance under each group/user to add an option to allow remote access to each service: ssh/ftp/vpn/pop3 etc.

That way I can define groups of users whom I wish to grant access to specific serivces... much better security.

Perhaps I'm just missing something, but cannot find anything like this at all.

Thanks,

Dave

[Graeme Robinson]

At 07:50 PM 19/09/2001 +0000, you wrote:
>Looks like an excellent product (played briefly) but looks weak in terms of
>granting user/group access to specific services.

Oh?

>For instance you can grant access to a Group to the i-bays (although only
>one group!)

If you've ever worked on an NT server where an admin has mixed giving user access to shares and groups you will begin to understand this is actually a by design and very good feature.  Users can be members of multiple groups so there is no restriction here just a different way of managing access that is much easier to control/analyse.

>but I'm after real flexibility... for instance under each
>group/user to add an option to allow remote access to each service:
>ssh/ftp/vpn/pop3 etc.

This level of complexity might seem attractive but it's just an additional and IMV unwonted layer.  All these services are already controlled by user permissions.  If you mean external pop3 access, you don't want it anyway as it is insecure and secure mail access is provided by secure webmail or VPN access. ftp access is controlled by setting group access to the ftp-enabled ibay and making relevent users group members. VPN access gives users the same access to the system remotely as they have locally.  

Restricting access to the VPN link could be handy but is a low priority for me - 99% of users wouldn't know how to configure it and is an access issue, not a security issue.  Access is logged so if employees are using it who shouldn't be you could just tell them to stop

>That way I can define groups of users whom I wish to grant access to
>specific serivces... much better security.
>Perhaps I'm just missing something, but cannot find anything like this at
>all.

[Dave Pilcher]

Thanks for that reply.

I'm interested in your statement re pop3 access being insecure.

We have users that use pop3 mail readers (OE, netscape etc), needing remote access.

Webmail is a pain to use (online use only).

What other (better/more secure) options are there?  I know you mention VPN.

e.g. thoughts on IMAP, pop3s

Many thanks,

Dave

[Graeme Robinson]

POP3outside your LAN is insecure because plain text usernames and passwords are transmitted in the authorisation phase.  This is why POP3 is switched off in e-smith.

VPN creates a secure encrypted link to your server which then allows secure POP3/IMAP mail exchange to happen.

IMAP is preferable to POP3 for a couple of reasons:
- because it is all server-side and will get backed up.  You can configure POP3 so that all data files are on the server too however (by putting them in the users home directory).
- because you can access your IMAP folders using webmail
- because you can switch IMAP clients easily and minimal reconfiguration.

[Dave Pilcher]

Thanks for that.

Would making POP3 use SSL (using stunnel) prevent passwords from being passed as plaintext, thereby removing the plaintext risk?

Dave

[Graeme Robinson]

Yes it would.  VPN is a tunnelling protocol, but you can use SSH
to achieve the same result.

[Dan York]

Dave,

> Would making POP3 use SSL (using stunnel) prevent passwords
> from being passed as plaintext, thereby removing the
> plaintext risk?

We also know of many folks using PPTP to access their POP3/IMAP
e-mail remotely.  From their remote location, they first initiate
a PPTP connection to their e-smith/SME server, then retreive
their email via POP3 or IMAP from the server.  PPTP provides
the encryption in that case.

Note that *both* POP3 and IMAP use plaintext passwords.

Dan

[Dave Pilcher]

Hi Dan,

pop3 does use plaintext... but pop3s runs over an SSL encrypted link, so is not plaintext...?

I believe l am right, but please correct men if I am I wrong.
The disadvantage with PPTP is it gives access to the whole network?

I would love to be able to give only selected people access to PPTP.... is there a way of doing this?

Thanks,

Dave

[Tim Jung]

Don't forget though that you can get secure POP3 by just forcing the APOP authenication protocol which passes the login and password encrypted between the client and the server. Also it is more support among Window clients than some of the other options mentioned here.

I would recommend that you compile in APOP support in the POP3 daemon and then get e-smith setup to do the authentication that way.

Also it would be nice to see SMTP_Auth supported in the next release for roaming users so they don't have to reconfigure their email clients when in the office versus travling/roaming.