[lug] VPN solution
Ben
bluey at iguanaworks.net
Fri Jan 25 09:22:09 MST 2008
More detail of my ssh / putty port forwarding to access samba share
remotely:
The bulk of what I did is from
http://www.blisstonia.com/eolson/notes/smboverssh.php
This talks about the idiosyncrasies of windows port forwarding and the
like. The patch for XP SP2 you have to install, the loop back device
because if you bind directly to port 139 you disable local windows file
sharing, etc. If you don't mind disabling local windows file sharing,
setting up the Windows client is a lot simpler.
What I did on top of that was really just locking down the port
forwarding as best I could. I configured sshd to only allow admin users
and the user "remote". The user remote has a shell of /bin/false and
password authentication disabled. So you can only login as user remote
with the ssh key and even then you don't get shell access. I made ssh
keys for each remote computer that I wanted to have access and converted
the private key to putty's format (.ppk) via puttygen. If anyone has
ideas for locking this down further, please let me know. On each remote
computer, I created a putty "saved session" with all the settings for
port forwarding:
Server IP Address: the.ip.address
Auto-login username: remote
SSH: Don't Allocate a pseudo-terminal
SSH: Don't start a shell or command at all
SSH" Private key for authenteticate: generatedkey.ppk
Tunnels: L10.1.1.1:139 127.0.0.1:139
Then, an icon on the desktop that runs "putty -load "remote access
session" that runs the saved session I just created. Then users just
double click on that icon and setup all the portforwarding and click on
a link to "\\10.1.1.1" to access the samba server. They have to login to
the samba server with their normal usernname/password -- the port
forwarding / stunnel is independent of samba username, so they can log
off the samba share and log back in as a new user with the same stunnel,
etc.
Once it's setup it works great.
Ben
On Thu, 2008-01-24 at 17:09 -0700, dio2002 at indra.com wrote:
> i'd love more detail!
>
> in particular more specifics or actual instructions for setting up putty
> for the secure tunnel with no terminal on the loopback address with the
> shared key and then making it into a one click desktop shortcut. if
> it's possible to save the session settings in putty maybe you can attach it?
>
> to clarify what you stated below you actually *are* giving the users ssh
> access, you're just not providing them with a shell.
>
> Ben wrote:
> > This isn't a VPN solution, but it works for me. I use putty to create a
> > secure tunnel between remote windows clients the samba server. Then
> > windows clients access the files via "\\10.1.0.1" where that ip address,
> > 10.10.1. is a loopback interface on the windows box that putty tunnels
> > to my samba server. It's a little tricky to setup on the windows side
> > the first time, but after that, it is just one icon for putty and then
> > they have fully access to the samba box. (Also works great from linux
> > where sshfs , etc don't work if you want to maintain samba acl permissions)
> >
> > For security, I create a user "remotesamba" that has no shell, etc,
> > (putty is setup to not allocate a terminal) and then give each remote
> > user a ssh-key linked with remotesamba to use. This way, they don't need
> > another password to remember, and I don't need to give users shell/ssh
> > access to the server. And I can revoke their access if I need to.
> >
> > I can go into more detail if you want.
> >
> > Ben
> >
> >
> > George Sexton wrote:
> >> I need to come up with a solution to allow remote windows clients
> >> network access to my Linux samba server.
> >>
> >> I've just spent a day trying to get pptpd to work and I've finally
> >> given up.
> >>
> >> I'm looking at the documentation for openvpn and it looks like openvpn
> >> is pretty comlpex to configure as well. I would really like to avoid
> >> travelling to the various remote sites to setup the VPN client, which
> >> it looks like OpenVPN would pretty much require.
> >>
> >> Since I really don't have another day or three to devote to this, can
> >> anyone recommend a commercial hw solution that will actually work?
> >>
> >
> > _______________________________________________
> > Web Page: http://lug.boulder.co.us
> > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
> _______________________________________________
> Web Page: http://lug.boulder.co.us
> Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> Join us on IRC: lug.boulder.co.us port=6667 channel=#colug
>
More information about the LUG
mailing list