On Tue, 24 Apr 2007 00:05:51 +0200 Joachim Schipper <[EMAIL PROTECTED]> wrote:
> On Mon, Apr 23, 2007 at 09:28:53PM +0200, Rico Secada wrote: > > Hi > > > > I need some comments from you guys on using sshfs as a solution at > > work. > > > > I need to make some of our NFS servers available for employees at > > their homes (where they live). I have been looking at both IPSec > > together with VPN, but I really like SSH better. At debian mailinglist > > I got a suggestion about using sshfs and nothing else, I really love > > SSH, but are a bit worried about users being able to ssh in. With > > sshfs the workers can mount their home directories like with nfs. > > > > If userlands are setup chmod 700, and each user are in no groups but > > themselves, does this pose a security risk? > > This is a public mailing list. Trim your message at 72 columns. Meaning? > > [demime 1.01d removed an attachment of type application/pgp-signature which > > had a name of signature.asc] > > mail.html specifically states not to do this, and posting them as an > attachment is particularly useless. I have got no idea what this is about. I havent made any attachments. > However, I presume you came here looking for advice that actually > pertains to your question. > > sshfs uses FUSE, which is at the moment Linux-only. It's also an > interesting, but rather scary, contraption. Getting it installed might > not be easy. (I say 'might' because I've never tried it; for all I know, > all major distributions have a package and compile the relevant part > into their stock kernels. Does anybody have more information?) Using OpenBSD as a server works perfectly. The server needs nothing more than SSH. About the client I have succesfully setup Debian with fuse and it works perfectly with OpenBSD serving. I also know that FreeBSD has a port for client installation. Fuse uses the sftp part of SSH. On Debian all it takes is installing the package and using modprobe. On FreeBSD it should be almost as easy and quick. > If the goal is to use SSH, you might want to take a look at ssh -w; I > believe that will work for you, but read the docs first. As an > alternative, consider switching to something with fixed port > allocations (CIFS/SAMBA, AFS) and port forwarding. > > Finally, if confidentiality does not matter, consider authpf. > > However, the proper way to set up a VPN is to set up a VPN. The only consern I have is users snooping around because they are able to ssh in, besides that sshfs works like a charm and its so easy and quick to setup. I have combined scponly with the servers, and that works well too, but since scponly isn't "safe", as in a lot of work is done security wise, I would not want to run with that as a permanent solution. I trust OpenSSH over any VPN solution anyday, but SSH might cause a problem in other areas, hence the question. Thanks Joachim. > Joachim > > -- > TFMotD: amd (8) - automatically mount file systems > > -- Best and kind regards Rico Secada
