Secure file sharing over internet?

[ctl]

Hi, I have a server that I want to use to share files with users over the internet. The users will be using Linux, Windows, or Mac OS X, and I want them to have write access.

I was planning on using Samba, but I've read that it's a bad idea to use Samba over the internet for security reasons. What is the best software/protocol to achieve this?

Thanks

[Kulfaangaren!]

This might be one alternative.

http://www.sublimation.org/scponly/wiki ... /Main_Page

The whole idea is to allow only read and write access but no execute (scp and sftp).
Apparently it can chroot the users as well.

Clients for sftp exists for all OSes.

// Fredrik

[neonknight]

Maybe you also want to take a look at webdav or ftp, as they can be handled by every of the mentioned operating systems without installing additional software on the client side. Another argument is of course the easy implementation of SSL, which secures transmission of passwords and data over the internet.

You could also use Samba over an OpenVPN-tunnel, but the Samba-connection might not be stable enough over a low-speed/high-latency internet path.

[TheAbu]

I would say, one of the most secure way to do that would be vsftpd, allowing only SSL connection, with virtual user to limit what can be done on your computer (no shell access, no real account on your machine). Safe enough to stop everyone but a very motivated (and skilled) hacker.

[ewaller]

I agree with TheAbu. You can go one better by handing your clients the keys rather than automatically exchanging them on the first connection.

Don't use Samba. I allow it on my home network -- behind the firewall. It is blocked in both directions at the router.

[Kulfaangaren!]

The title said "secure filetransfer" so I would not suggest FTP-S (not to be confused with SFTP), SSL encrypted ftp, which is what the above posts seem to suggest.
The difference is that FTP-S usually only encrypts the command channel (commands and directory listings) leaving the data unencrypted which people can still sniff/intercept.
I still suggest SFTP as the best alternative. Many FTP (Linux/Windows/MacOS X) clients also supports SFTP and all traffic is encrypted, both data and commands.

// Fredrik

[magic919]

Worth adding that FTPS can encrypt the data channel too.

[Kulfaangaren!]

Worth adding that FTPS can encrypt the data channel too.

Yes, that is correct but it requires specialized server and client. The normal mode (as far as I know) is to encrypt only the command channel.
He wanted an OS agnostic (is that the right word?) solution and SFTP is a simple way of encrypting file transfer traffic that is available on all OSes both as server and client.

// Fredrik

[malern]

The latest version of OpenSSH can do restricted sftp by itself without needing any patches or things like scponly

I've set it up on my machine by adding the following to /etc/ssh/sshd_config

Code: Select all

Match Group ftpusers
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /var/ftpincoming
 ForceCommand internal-sftp

Basically it restricts all users in the "ftpusers" group to sftp only (i.e. no real shell access or forwarding), and chroots them in the /var/ftpincoming dir. You'd have to create the group and dir first, but nothing else is needed.

[Kulfaangaren!]

Goodie goodie! Thx for the info

[ibasaw]

hi

Whan i do this

The latest version of OpenSSH can do restricted sftp by itself without needing any patches or things like scponly

I've set it up on my machine by adding the following to /etc/ssh/sshd_config

Code: Select all

Match Group ftpusers
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /var/ftpincoming
 ForceCommand internal-sftp

Basically it restricts all users in the "ftpusers" group to sftp only (i.e. no real shell access or forwarding), and chroots them in the /var/ftpincoming dir. You'd have to create the group and dir first, but nothing else is needed.

i got an error on the client: sftp is not supported

How to resolve this

Thanks

[Kulfaangaren!]

hi
----- 8< Snipp! Snipp! >8 -----
i got an error on the client: sftp is not supported

How to resolve this

Thanks

Please do not abreviate error messages.
Please post log entries and relevant console output in code-tags and we will try to help.

Cheers

// Fredrik

[depontius]

The latest version of OpenSSH can do restricted sftp by itself without needing any patches or things like scponly

I've set it up on my machine by adding the following to /etc/ssh/sshd_config

Code: Select all

Match Group ftpusers
 X11Forwarding no
 AllowTcpForwarding no
 ChrootDirectory /var/ftpincoming
 ForceCommand internal-sftp

Basically it restricts all users in the "ftpusers" group to sftp only (i.e. no real shell access or forwarding), and chroots them in the /var/ftpincoming dir. You'd have to create the group and dir first, but nothing else is needed.

Slightly off-topic, but this comes close to something I'd like to do.

I'd like to use an account for TcpForwarding ONLY, no shell, no sftp. I've tried several ways to do this, without luck, though I have limited time. Do you already know how to do such a thing?

[malern]

I'd like to use an account for TcpForwarding ONLY, no shell, no sftp. I've tried several ways to do this, without luck, though I have limited time. Do you already know how to do such a thing?

What I use is;

Code: Select all

Match User tunnel
 X11Forwarding no
 AllowTcpForwarding yes
 ForceCommand /sbin/nologin

On the client you have to add the "-N" switch to ssh which will stop it trying to execute a remote command (which would make it exit straight away).

[depontius]

Interesting... I've tried it, and so far it didn't work. I think part of the problem is that I've tried to have an "integrated AFS login" so that part isn't letting me get in without a password. Of course the integrated AFS login has never worked with ssh anyway, but I've got the hooks in system-auth. I need to revisit this.