-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On Thu, Jan 24, 2008 at 05:58:57PM -0500, Daniel Ouellet sez: > Hi, > > I need some possible suggestions if I may asked to not setup, or have to > setup WebDav on OpenBSD to allow users to do their web folder stuff. It > can be setup with ftp for example to allow them to map a folder in their > "network place" on XP for example, but then they can't do the stupid > "save as" and just for that, they want to use the WebDav. However, then > it need to allow write access via http and the full load of issues that > could with that when combine with php, etc. > > I only allow ssh access and in very special case, I had accepted ftp > from specific locations control via PF, but because of the stupid save > as, they are screaming for WebDav, or mod_dav, witch I really would like > to avoid totally. > > I just don't see the benefit worth the risk required to allow it. > > May be I am wrong and someone could in light me, witch I would very much > appreciate, but again, may be there is an alternative using SSH that I > do not know. > > I provided WinSCP years ago and it sure works well, plus I can control > access via ssh with PF too, witch I would loose introducing WebDav. > > I hate all these users that can only work using a GUI like interface all > the time and fell they need everything to be done via http. > > Anyone can provide me some ideas, or alternative here as I am running > out of them and being view as the asshole that always refuse flexibility > for security is fine, but may be there is something I can do to keep it > safe and give the winers a bone. > > I hate the Microsoft centric bias users that care less for security, but > would also be the first to scream should there be compromise too. > > Any suggestions here? > > Sorry for the somewhat off topic question, but I need suggestion if > there is any. > > Best, > > Daniel. >
I don't know if this will help since it'll involve the windows users having to install the M$ loopback adapter on their boxes & configure it. It's what I use on my network for the windows boxes to access the OpenBSD boxes via ssh. And, all windows users are using cygwin, not putty or some other gui. In my case, I only allow passwordless logins using rsa keys & authorized_keys files instead. If you allow password logins, it wouldn't be a problem. No idea how many users you have, so I guess it could turn into an admin's nightmare if you had to go into each user's $HOME/.ssh & do the setup there. I guess you could send out a notice & give them a deadline to ssh in & set it up themselves. But, we're talking windows users here. ;) Anyway, here's the link for setting up samba over ssh: http://assela.pathirana.net/Samba_over_SSH_--_Opening_Windows_to_ UNIX_safely_and_reliably That's all one line above. I dropped part of it down for the 72 character rule. As the article shows, instead of having to open a cygwin prompt, then issue the tunneling command, the whole thing can be automated with a script & a windows service started on boot. When the user clicks start, run, types in the IP address & enter, explorer will open showing them their samba shares. So, there's the gui they crave. ;) Hope this helps some. -- Denny White All messages scanned by ClamAssassin http://jameslick.com/clamassassin/ =============================================================== GnuPG key : 0x1644E79A | http://wwwkeys.nl.pgp.net Fingerprint: D0A9 AD44 1F10 E09E 0E67 EC25 CB44 F2E5 1644 E79A =============================================================== iD8DBQFHnuXfy0Ty5RZE55oRAumIAJ9jTz2OQKDRW4Ysw6dsg8aD9zCRDwCfePN6 9Sx/q3U6QvSVXEFJe69CGUw= =6JqB -----END PGP SIGNATURE-----
