Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows
Samba and encrypted passwords. The encrpyted passwords should be default
on later Windows boxes, but may require registry edits on older Windows OSes.
Fast, easy, and secure. Windows Netbios & SMB traffic should probably
already be firewalled in and out,(If not, seriously consider it), but you can always
run Samba tcpwrapped, and so forth.
Samba is good, and IMHO the right choice for sharing files (and some other
stuff too) to Windows.
- John
jrmorris@cacr.caltech.edu
On Thu, 18 Apr 2002, Tom Dominico wrote:
> I have a Debian webserver that currently runs SSH, HTTP, and SMTP
> services. The SMTP service only accepts mail from the local interface.
> I try to keep my box free of any excess services that might lead to
> vulnerabilities, or that transmit authentication information via
> cleartext. I am running into some issues, however, where having only
> SCP access for file transfer is not convenient.
>
> For example, all workstations here are running some version of Windows.
> I have yet to run across Windows applications that have SCP support
> built-in, though. I have instances where I would like to be able to
> upload/download files from the server to my text editor, synchronize
> directories between a workstation and the server, etc. My options are
> generally only FTP, or using windows shares. I hesitate to install FTP
> because of the issues with cleartext passwords being transmitted, as
> well as potential vulnerabilities in the FTP daemon. I understand that
> some daemons now support SSL for encryption, but I do not know if
> running a FTP server is really a wise idea or not, even with SSL.
>
> I am debating installing samba on the webserver, and setting it up to
> use encrypted passwords. I would not allow "guest" usage of any shares.
> This would make it much easier for me to do development and other tasks
> on the server via my Windows workstation. However, I do not know if I
> would be making a large mistake, security-wise, by doing this. We have
> an external firewall, and I would think I could firewall off samba
> traffic, so that only internal users would even have access, and even
> then it would be protected with an encrypted password.
>
> I am curious to see what the users of this list would suggest. It seems
> that I could do the following:
>
> 1) Install samba, and connect to the webserver via "shares" from my
> workstation.
> 2) Try to install FTP with SSL functionality, and perhaps firewall it
> off for internal use only.
> 3) Do none of the above and use an SCP client to manually transfer
> things back and forth when necessary.
>
> In a nutshell, I am wondering what the best way is to co-exist with
> Windows on the desktop, while still running a relatively secure server.
>
> My other question relates to cleartext passwords. I am writing some
> web-based administrative tools to allow selected users to update
> sections of the website, without having to know how to code. Using a
> simple "htpasswd" scheme, passwords are sent out in cleartext. I am
> concerned that anyone with a sniffer could then gain access to those
> passwords. I work in a school district, and some of these kids are very
> clever, and have a lot of time on their hands. Is there a way to
> encrypt htpasswd traffic, or is there another solution I should examine?
>
> I greatly appreciate any advice.
>
> Tom Dominico
> District Technology Coordinator
> Parlier Unified School District
>
>
> --
> To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
> with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
>
>
--
To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org
Reply to: