Re: Help needed with server setup at work
On Mon, 23 Apr 2007 16:35:04 -0400
Greg Folkert <greg@gregfolkert.net> wrote:
> On Mon, 2007-04-23 at 22:22 +0200, Rico Secada wrote:
> > On Mon, 23 Apr 2007 13:52:58 -0400
> > Greg Folkert <greg@gregfolkert.net> wrote:
> > > On Mon, 2007-04-23 at 19:39 +0200, Rico Secada wrote:
> > > > On Mon, 23 Apr 2007 11:26:42 -0400
> > > > Greg Folkert <greg@gregfolkert.net> wrote:
> > > > > > About the union thing I first thought of somehow union mouting all the
> > > > > > different home directories on a single machine which then serves as
> > > > > > the access point, but I am affraid if that particular machine crashes,
> > > > > > then no one can get to their files.
> > > > > >
> > > > > > Good ideas and experiences are greatly appreciated!
> > > > >
> > > > > Lookup sshfs (or shfs as it is commonly know) it is completely at the
> > > > > whim of the user. They use an existing well known, well vetted daemon
> > > > > (openssh-server) and in a local environment (meaning no slow links) with
> > > > > 100Mbit/sec, I get nearly line speed transfer rates (100Mbit/sec ==
> > > > > 11MByte/sec).
> > > > >
> > > > > Though you will need to beef up end user knowledge about strong
> > > > > passwords and key-auth only authentication, it'll more than makeup for
> > > > > the traveling or remote user.
> > > > >
> > > > > I can say that sshfs is probably the singe best thing I've seen come
> > > > > along in a long time. Mainly because, if you already have established
> > > > > good SSH practices, there is really no additional server-side setup you
> > > > > need to use.
> > > >
> > > > Thank you very much for your reply Greg. This is a very good solution
> > > > but it does provide one obstacle since users do not have SSH access to
> > > > the servers. If I where to use this solutuion I somehow need to jail
> > > > the users to their home directories. As far as I know its not possible
> > > > with SSH.
> > >
> > > Why would you need to jail them?
> > >
> > > With properly setup homedirs (chmod 0700) nothing needs to be worried
> > > about as far as seeing other peoples stuff. And as long as they are only
> > > users, no other groups besides their own group. There is no need to
> > > worry. For example:
> > >
> > > username: joe UID=1110 GID=1110
> > >
> > > No other membership in any additional group. Only can see his stuff
> > > period.
> > >
> > > Infact, it is better than nfs or cifs in regards to security. EVERYTHING
> > > is in userland and only allows them access to their own stuff on the
> > > server... even IF they ssh in.
> >
> > Any suggestions regarding how to make it apear like there is only one
> > server host? Should I perhaps locally mount all the directories via
> > NFS unto a single host which will then serve SSH out to the world? Or
> > is there some better solution?
>
> Personally, I'd use a cluster/distributed filesystem with back links or
> references etc. But then... I'll have to look into that... but later, my
> Step father just called and said he bought a new "hard-drive"... yeah
> could be anything from an external to a new machine to an internal.
>
> But then I usually just have ONE HUGE-E-MONGOUS nfs/smb/cifs/afs/other
> file server doing the work, depending on the traffic, I used bonding of
> NICs.
>
> You could always setup an ssh forwarding service for various ports...
> 10021 for server A, 10022 for server B, 10023 for server C all using the
> same IP. IPtables or OpenBSD's PF works wonderful for that.
>
> Then all your people just need to know the "name" and the port.
Thank you very much Greg!! Your help has been very valuable!
>
> --
> greg, greg@gregfolkert.net
>
> Novell's Directory Services is a competitive product to Microsoft's
> Active Directory in much the same way that the Saturn V is a competitive
> product to those dinky little model rockets that kids light off down at
> the playfield. -- Thane Walkup
>
--
Best and kind regards
Rico Secada
Reply to: