On Mon, Sep 18, 2006 at 11:23:52AM -0400, Brian Shackelford wrote:
> Hello,
>
> I have been following this thread and am extremely interested in any
> solutions to the presented scenarios. We use OpenBSD to build
> firewall/Spam filtering boxes customized as needed by our customers.
>
> I have been working on developing a Python client for Windows that would
> open/maintain an SSH connection by reading the windows username OR by
> having a configurable username/password that is stored (encrypted) on
> the client system.
>
> If only our customers would use BSD workstations...sigh...
>
> Alternatively we have looked at writing a small server piece that simply
> modifies the tables in PF as needed as well and custom writing a piece
> of software for the Win32 clients (again in python) that would do the
> same thing as above - just it would communicate with the custom server.
>
> The only issue we have with the second option is security concerns as we
> are not hard-core programmers at heart so I would prefer the simpler
> scripted solution. In that light - the first solution would be better
> from our point of view - but I am sure there is a flaw in it somewhere.
>
> As to when the client disconnects - the ssh session will close when the
> system is turned off - and we can also have a notification icon on the
> taskbar to control the connection.
>
> While a web-based solution would be more than ideal - I think what I
> have will work. What our clients need is a piece of software that
> doesn't require much user interaction - even Putty would be hard to
> convince them to use. So we hide everything behind a pretty GUI and do
> the same things through a custom written app.
>
> Please feel free to tear my every simple plan to shreds....I can take
> it.
Your first solution is most likely ideal; SSH already has pretty good
security, and is sufficiently easy to use that it's hard to make a
mistake that will cost (much) security.
However, you might need some way to separate your clients from one
another. Maybe a switch which simply doesn't route from client a to
client b (VLANs could be used), or running everything over some sort of
VPN (IPsec, OpenVPN) and blocking all other packets. The latter would
require some additional software, though...
Joachim
