[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Webserver questions: using samba, avoiding cleartext passwords, co-existing with Windows

There is a Explorer-like interface to PuTTY's
scp command. Maybe an option. Don't have
much experience with this, I personally use some
mini-shell-scripts attached to the sendto-menue
for uploading.


Cheers, Marcel

--On Donnerstag, 18. April 2002 17:34 -0700 John Morris <jrmorris@cacr.caltech.edu> wrote:

Samba and encrypted passwords. The encrpyted passwords should be default
on later Windows boxes, but may require registry edits on older Windows
OSes. Fast, easy, and secure. Windows Netbios & SMB traffic should
probably already be firewalled in and out,(If not, seriously consider
it), but you can always run Samba tcpwrapped, and so forth.

Samba is good, and IMHO the right choice for sharing files (and some other
stuff too) to Windows.

- John

On Thu, 18 Apr 2002, Tom Dominico wrote:

I have a Debian webserver that currently runs SSH, HTTP, and SMTP
services.  The SMTP service only accepts mail from the local interface.
I try to keep my box free of any excess services that might lead to
vulnerabilities, or that transmit authentication information via
cleartext.  I am running into some issues, however, where having only
SCP access for file transfer is not convenient.

For example, all workstations here are running some version of Windows.
I have yet to run across Windows applications that have SCP support
built-in, though.  I have instances where I would like to be able to
upload/download files from the server to my text editor, synchronize
directories between a workstation and the server, etc.  My options are
generally only FTP, or using windows shares.  I hesitate to install FTP
because of the issues with cleartext passwords being transmitted, as
well as potential vulnerabilities in the FTP daemon.  I understand that
some daemons now support SSL for encryption, but I do not know if
running a FTP server is really a wise idea or not, even with SSL.

I am debating installing samba on the webserver, and setting it up to
use encrypted passwords.  I would not allow "guest" usage of any shares.
This would make it much easier for me to do development and other tasks
on the server via my Windows workstation.  However, I do not know if I
would be making a large mistake, security-wise, by doing this.  We have
an external firewall, and I would think I could firewall off samba
traffic, so that only internal users would even have access, and even
then it would be protected with an encrypted password.

I am curious to see what the users of this list would suggest.  It seems
that I could do the following:

1) Install samba, and connect to the webserver via "shares" from my
2) Try to install FTP with SSL functionality, and perhaps firewall it
off for internal use only.
3) Do none of the above and use an SCP client to manually transfer
things back and forth when necessary.

In a nutshell, I am wondering what the best way is to co-exist with
Windows on the desktop, while still running a relatively secure server.

My other question relates to cleartext passwords.  I am writing some
web-based administrative tools to allow selected users to update
sections of the website, without having to know how to code.  Using a
simple "htpasswd" scheme, passwords are sent out in cleartext.  I am
concerned that anyone with a sniffer could then gain access to those
passwords.  I work in a school district, and some of these kids are very
clever, and have a lot of time on their hands.  Is there a way to
encrypt htpasswd traffic, or is there another solution I should examine?

I greatly appreciate any advice.

Tom Dominico
District Technology Coordinator
Parlier Unified School District

To UNSUBSCRIBE, email to debian-security-request@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmaster@lists.debian.org

Reply to: