A client has a Samba server running ZFS that's working quite well for what it does. The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction. What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
On 12/04/13 16:17, Russell Coker wrote:
What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
Not used it myself, but would OwnCloud fit your needs? http://owncloud.org/ cheers! Chris -- Chris Samuel : http://www.csamuel.org/ : Melbourne, VIC
On Fri, 12 Apr 2013, Chris Samuel <chris@csamuel.org> wrote:
Not used it myself, but would OwnCloud fit your needs?
I tried it but it didn't work very well. I couldn't get account creation to work (everything was done with the admin account) and it still seemed flaky. The base functionality of web and Android access didn't work well so it didn't seem worth trying extra functionality like Mac access. Has anyone had a good experience with OwnCloud? If so I'll try it again. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
I would recommend a simple OpenVPN solution. Much safer and simpler than exposing a Samba server directly to the net. Cheers -- Aryan
On 12 April 2013 16:17, Russell Coker <russell@coker.com.au> wrote:
The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction.
If the files were securely encrypted, does it matter that they stay in Australia? My guess is that the answer is most likely going to be Yes, but thought I should check, as this would increase the options available. -- Brian May <brian@microcomaustralia.com.au>
On 12 April 2013 07:17, Russell Coker <russell@coker.com.au> wrote:
A client has a Samba server running ZFS that's working quite well for what it does.
The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction.
In same boat. Have been testing OwnCloud - http://owncloud.org/. No comments on it yet other than it is very easy to install, and does what it says on the box (with 3 accounts, all owned by me). Haven't seen what it is like with less tech literate people, but it seems okay. Sean
What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
-- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/ _______________________________________________ luv-main mailing list luv-main@luv.asn.au http://lists.luv.asn.au/listinfo/luv-main
On Fri, Apr 12, 2013 at 4:17 PM, Russell Coker <russell@coker.com.au> wrote:
A client has a Samba server running ZFS that's working quite well for what it does.
The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction.
What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
For access to the Samba server, set up a VPN to the office network? (e.g. openvpn) For sharing files a la dropbox, set up a local instance of filesender? Invites can also be sent to external guests to allow them to upload files. https://www.assembla.com/spaces/file_sender/wiki Marcus. -- Marcus Furlong
On Fri, Apr 12, 2013 at 04:17:56PM +1000, Russell Coker wrote:
What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
1. webdav? some starting points: http://en.wikipedia.org/wiki/WebDAV http://www.linuxplanet.com/linuxplanet/tutorials/7314/1 2. there's also Owncloud http://owncloud.org/ simple tutorial at: http://lifehacker.com/5993596/how-to-set-up-your-own-private-cloud-storage-s... owncloud seems like a good idea but something about the business model and attitude on the commercial site (http://owncloud.com/) puts me off...but my research on it has been minimal at best. 3. or just put everything up on facebook and trust to the benevolence of corporate america. what have you got to hide, ya commie terrorist? craig -- craig sanders <cas@taz.net.au>
A client has a Samba server running ZFS that's working quite well for what it does.
The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction.
What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
I've used SVN for this. With EasySVN on windows PC's users can do automatic checkin and checkout so documents you create or change are automatically visible to others and others' changes are visible to you in a reasonably short time, and it works disconnected too. Users can also access files from a browser too if required. James
Russell Coker <russell@coker.com.au> writes:
A client has a Samba server running ZFS that's working quite well for what it does. The problem is that a bunch of staff want to work from home and have been using Dropbox and Gmail to share the files - not what we want. Among other things we'd like to have the files stay within Australian jurisdiction. What's a good way for sharing files to Macs and Windows systems over the Internet that's easy to use and relatively secure?
No one has mentioned SFTP yet. You can't fault it for security. WinSCP or whatever can make it look like "normal" FTP. I don't know if there's a more "usable" version (like gnome-vfs's sftp:// URLs) that make them look like local folders. I admit the users probably won't allow it, but you can use it as your low bid so that OpenVPN looks more like a compromise and less like the fiat of the Insane Security Overlord.
On 12/04/13 7:17 PM, Trent W. Buck wrote:
Russell Coker<russell@coker.com.au> writes: No one has mentioned SFTP yet. You can't fault it for security.
WinSCP or whatever can make it look like "normal" FTP. I don't know if there's a more "usable" version (like gnome-vfs'ssftp:// URLs) that make them look like local folders. There is a SSH/SCP/SFTP FUSE driver around, so you can mount filesystems over SCP/SFTP. That should take care of Linux and Mac boxes. Not sure what the equivalent Windows solution would be. I admit the users probably won't allow it, but you can use it as your low bid so that OpenVPN looks more like a compromise and less like the fiat of the Insane Security Overlord. :D
-- 73 de Tony VK3JED http://vkradio.com
Tony Langdon <vk3jed@gmail.com> wrote:
There is a SSH/SCP/SFTP FUSE driver around, so you can mount filesystems over SCP/SFTP. That should take care of Linux and Mac boxes. Not sure what the equivalent Windows solution would be.
It works, as long as you're willing to forego adherence to POSIX file system standards.
On 15/04/13 7:00 PM, Jason White wrote:
Tony Langdon <vk3jed@gmail.com> wrote:
There is a SSH/SCP/SFTP FUSE driver around, so you can mount filesystems over SCP/SFTP. That should take care of Linux and Mac boxes. Not sure what the equivalent Windows solution would be. It works, as long as you're willing to forego adherence to POSIX file system standards. Another thing to weigh up. :)
-- 73 de Tony VK3JED http://vkradio.com
Jason White <jason@jasonjgw.net> writes:
Tony Langdon <vk3jed@gmail.com> wrote:
There is a SSH/SCP/SFTP FUSE driver around, so you can mount filesystems over SCP/SFTP. That should take care of Linux and Mac boxes. Not sure what the equivalent Windows solution would be.
It works, as long as you're willing to forego adherence to POSIX file system standards.
I assume you're referring to SFTP's (and thus sshfs's) lack of support for locking. While annoying, IMO it's no worse than the locking issues I've run into with NFSv3 and Samba3, and I vaguely remember AFS has "advisory" locks (meaning it doesn't stop you). Are there other places where SFTP doesn't comply with SUS 2008?
Trent W. Buck <trentbuck@gmail.com> wrote:
I assume you're referring to SFTP's (and thus sshfs's) lack of support for locking. While annoying, IMO it's no worse than the locking issues I've run into with NFSv3 and Samba3, and I vaguely remember AFS has "advisory" locks (meaning it doesn't stop you).
Are there other places where SFTP doesn't comply with SUS 2008?
That's the right question to ask, and my quick Web search didn't locate a good attempt at an answer. As you note, locking issues are common to network-based file systems (in which regard, NFSv4 is an improvement, as I recall). The SSHFS FAQ indicates that rename operations are not implemented correctly, though there's a partially satisfactory work-around: http://sourceforge.net/apps/mediawiki/fuse/?title=SshfsFaq whereby the rename() is not atomic, but the link to an existing file/directory is removed. The rename(3posix) manual page reads, in part: "If the link named by the new argument exists, it shall be removed and old renamed to new. In this case, a link named new shall remain visible to other processes throughout the renaming operation and refer either to the file referred to by new or old before the operation began." I think that's what the FAQ is referring to.
On 12/04/13 16:17, Russell Coker wrote:
A client has a Samba server running ZFS that's working quite well for what it does.
Keep using the Samba server. Install a VPN client on their machines so they can continue accessing it remotely. (I recommend L2TP/IPsec as the least-effort option, with OS X and Windows supporting it natively.) (I don't recommend exposing Samba to the internet without a VPN. I did that once. It was never exploited as far as I can tell, but it got *hammered*.)
On 2013-04-13 13:58, Jeremy Visser wrote:
On 12/04/13 16:17, Russell Coker wrote:
A client has a Samba server running ZFS that's working quite well for what it does.
Keep using the Samba server. Install a VPN client on their machines so they can continue accessing it remotely. (I recommend L2TP/IPsec as the least-effort option, with OS X and Windows supporting it natively.)
L2TP/IPsec certainly seems least-effort from a client perspective. I've still not quite gotten the server-side solution working; I've been trying with openswan and xl2tpd. I'd appreciate any suggestions for different implementations or better documentation. -- Regards, Matthew Cengia
On 13/04/13 14:31, Matthew Cengia wrote:
L2TP/IPsec certainly seems least-effort from a client perspective. I've still not quite gotten the server-side solution working; I've been trying with openswan and xl2tpd. I'd appreciate any suggestions for different implementations or better documentation.
I had success with strongSwan + xl2tpd. It took me several hours of fighting, but in the end it was worth it because I can set up a new VPN client in about 1 minute without installing any extra software on OS X, Windows, iOS, or Android. My ipsec.conf contains the following: conn l2tp keyexchange=ikev1 # use pluto, not charon authby=psk # use certs if you want, else use a LONG psk pfs=no rekey=no left=<your server's local ip> leftnexthop=%defaultroute leftprotoport=udp/1701 leftfirewall=yes right=%any rightprotoport=udp/%any rightsubnetwithin=0.0.0.0/0 esp=aes128-sha1 ike=aes128-sha-modp1024 type=tunnel auto=add Unfortunately the 'pfs' and 'rekey' options are needed for compatibility with various broken clients. Also, even though it's supposed to only require 'type=transport', I found that Windows XP always requested tunnel mode, so 'type=tunnel' was required. This does not affect any of the other clients that I use. xl2tpd was quite straightforward, so I won't go over it. Annoyingly, it lacks IPv6 support, so I have since thrown out the whole Linux-based approach and used a Cisco router, which has supported IPv6 perfectly on L2TP for the better part of a decade, and is orders of magnitude easier to maintain. In case you're wondering, no, I don't have much faith in open source these days. Call me jaded. Interestingly enough, if IPsec negotiation fails, Windows XP and the network-manager-l2tp plugin for Linux are perfectly happy to fall back to using L2TP unencrypted without even warning the user, so don't forget to firewall L2TP on your server (the leftfirewall=yes line punches a hole in said firewall for IPsec clients). And no, don't even think about using the network-manager-l2tp plugin. It's buggy and horrible. If you have Linux clients, deploy OpenVPN as well. L2TP/IPsec is that badly supported on the client end of Linux.
participants (13)
-
Aryan Ameri -
Brian May -
Chris Samuel -
Craig Sanders -
James Harper -
Jason White -
Jeremy Visser -
Marcus Furlong -
Matthew Cengia -
Russell Coker -
Sean Crosby -
Tony Langdon -
trentbuck@gmail.com