[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [K12OSN] How to make K12LTSP accessible via Internet



Ok, so you need to let normally remote users access files in their homedir
via a dial-up internet connection.  I'm assuming that these users are
using some flavor of Windows on their laptops?

If so, you could use PPTP to establish a VPN connection from the Windows
based laptop back to your network over the internet.  Then you could share
the files via samba with the remote user over the PPTP tunnel.  It would
be slow, but it could be done.  It would also be quite easy for the remote
user, and would allow them to drag and drop files from their laptop to
their homedir on your server.

IIRC, the K12LTSP distribution includes the entire freely available redhat
distribution.  This means that it includes Apache and PHP.  They may not
be installed on the server by default, but they should be in the ISO
images and easily accessible.

You can read more about Zope at http://www.zope.org/

In this scenario your remote user could authenticate with your LTSP server
(assuming it's configured to accept connections on the proper ports and
has the required services running) via http/https and be presented with
either a directory listing or some sort of web-based interface (this is
where php, Zope, Tomcat, etc. could come into play) to their files.  If
you're using https and have been very careful with your scripting and ip
filtering rules then this is probably one of the more secure methods of
providing access to files.  Uploads from the user back to the server could
be a problem, but can be gotten around.  My personal preference for this
sort of remote access would be Apache+SSL running infront of Zope via some
proxy-pass rules.  Zope can abstract all of the actual file access and
authentication quite easily.  Regardless, if you choose this route I would
definately use SSL (i.e., https).  You'll need to create what's called a
Self Signed Certificate, or buy a real Certificate from someone like
Verisign.  I have no idea what they are charging now.  The last time I
looked into it (a few years ago) it was on the order of $800/year.
This is the type of Certificate that an online retailer like Amazon.com
would get to provide some measure of security to their online ordering
system.  A Self Signed Certificate will work fine and won't cost you
anything, but the browser the remote user is using will pop up a warning
message about the Certificate not being signed by a trusted entity (like
Verisign) every time they connect to download a file.

SCP is Secure Copy, and is part of the OpenSSH package (that you probably
already have on those K12LTSP CDs, if not already installed).  It's very
similar to the unix/linux 'cp' command used for copying files from one
place on your system to another.  It's basically a remote cp tunneled
through SSH.  It should be a very secure solution.  Again, you're going to
have to open up your firewall to allow SSH (which provides the secure
tunnel for SCP), TCP - port 22, to connect to your LTSP server.  You may
also need to configure the IP filtering on the LTSP server to accept
incoming connections on port 22.

As someone else pointed out, make sure you know what you're doing before
you start trying to configure ip filtering rules on your firewall or your
LTSP server.  The order of the rules is significant, and it's very easy to
mis-configure something and leave yourself wide-open to the internet.

Jeff


On Fri, 6 Dec 2002, Stephen Liu wrote:

> Hi jeffr,
>
> Thanks for your response and multiple suggestions
>
> At 03:39 PM 12/3/2002 -0600, jeffr odeon net wrote:
>
> >At this stage it would probably be very useful for the original poster to
> >explain what sort of file sharing they are looking for.
>
> While traveling abroad, making use of his notebook and a telephone cable to
> go to the remote user's home directory in the server with password to view
> and retrieve his own files
>
> >  it's fairly easy to let people grab files via http/https.  Providing
> > people with files via
> >https is arguably the easiest and most secure method.
>
> Could you please explain in more detail.  K12osn is not a web server
> without Apache and PHP installed
>
> >Easiest to use, not
> >necessarily the easiest to set up.  Still, a little PHP/Zope/Tomcat/etc.
> >work may provide a robust solution.
>
> I have heard Tomcat before but never use it.  Zope is new to me.
>
> >FTP is another (arguably bad) method of sharing files.  I say bad because
> >it's not secure (passes authentication information in clear text) and it's
> >a pain to filewall (due to it's multi-port nature, and lets just avoid the
> >whole active vs. passive issue).
>
> Yes, you are right.  FTP is easy to setup.  It is not my choice.
>
> >- snip -
> >
> >There are a multitude of other options.  SCP comes to mind,
>
> What is SCP?  Is it reliable and easy to setup.
>
> Thanks in advance.
>
> B.Regards
> Stephen Liu
>
>
> >as do others.
> >The bulk of these don't require anything extra to be installed on your
> >LTSP server.  They may or may not require software on the client side (the
> >machine you're connecting to the server from).
> >
> >As I said, the right solution is going to depend on exactly what the
> >original poster is trying to accomplish.  If they just need to let a
> >student send an assignment home, then an attachment to an e-mail may even
> >be the right way to transfer (small) files from an account on an LTSP
> >server to an off-site (i.e., not on the lan/wan) system.
> >
> >Jeff
> >
> >
> >On Tue, 3 Dec 2002, Julius Szelagiewicz wrote:
> >
> > > Steve,
> > >       you are half-way right. There is no built-in security in samba or
> > > nfs, but there is nothing stopping you from using FreeSwan or ssh. julius
> > >
> > > On Wed, 4 Dec 2002, Steve Wright wrote:
> > >
> > > > Stephen Liu wrote:
> > > >
> > > > > Hi all folks,
> > > > >
> > > > > What other packages shall be added to K12LTSP to make it accessible
> > > > > via Internet to login for file sharing
> > > >
> > > >
> > > > No packages need to be added.  Simply open your firewall to the internet.
> > > >
> > > > The problem is, the file sharing software for Linux is not secure enough
> > > > to do this.
> > > >
> > > > You will be very vulnerable if you do this, and I would not recommend it.
> > > >
> > > > You will be able to use ssh (secure shell) to tunnel in and perhaps do
> > > > the job securely that way, but you will need an experienced Linux
> > > > Security Consultant to do this, and this is not something that I can
> > > > describe over email to you.
> > > >
> > > >
> > > > regards,
> > > > Steve
> > > >
> > > >
> > > >
> > > >
> > > > _______________________________________________
> > > > K12OSN mailing list
> > > > K12OSN redhat com
> > > > https://listman.redhat.com/mailman/listinfo/k12osn
> > > > For more info see <http://www.k12os.org>
> > > >
> > > >
> > >
> > >
> > >
> > > _______________________________________________
> > > K12OSN mailing list
> > > K12OSN redhat com
> > > https://listman.redhat.com/mailman/listinfo/k12osn
> > > For more info see <http://www.k12os.org>
> > >
> > >
> > >
> >
> >
> >
> >_______________________________________________
> >K12OSN mailing list
> >K12OSN redhat com
> >https://listman.redhat.com/mailman/listinfo/k12osn
> >For more info see <http://www.k12os.org>
>
>
>
>
> _______________________________________________
> K12OSN mailing list
> K12OSN redhat com
> https://listman.redhat.com/mailman/listinfo/k12osn
> For more info see <http://www.k12os.org>
>
>
>





[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]