So I'm looking for a way to give my students remote access without
using sftp/scp as due to the way our directory structure is laid out, I
can't feasibly chroot them when using an scponly style shell.
(Yes, I do know the arguments about chroot being a false sense of
security. No, I don't want to get into that debate)
For various reasons I'm not opening up SMB access to the world, if I
want students to use SMB for remote access I'd have to implement a VPN,
and firstly we don't have a hardware VPN device here, and secondly I'm
not entirely happy with the level of complexity that would bring to the
situation.
So I've started looking at Kerberized FTP, mainly because the lovely
people at Fetch have free licences for education, and it has Kerberos
support.
The main problem I'm having with the OS X Server ftp daemon when set to
be Kerberized is that it doesn't seem to work happily behind your
average consumer NAT firewall/router that most of my students are on.
This appears to be a general problem with GSS and FTP that a lot of
people run into.
The other thing is that the OS X Server ftp daemon doesn't support
encrypting the data channel. This isn't such a huge stress, as it's
mainly the authentication channel that I'm concerned with protecting.
So I started experimenting with proftpd with LDAP and TLS/SSL support.
(If anyone has managed to get GSS support working with Fetch and
proftpd, I'd be keen to hear from you, as I couldn't get this working,
and proftpd has patches to work around the NAT issue).
This all works fine, but the problem I now have is that proftpd doesn't
support the now abandoned "implicit SSL" method for securing FTP. The
author has detailed why he has done this, and I'm ok with that, it
makes sense. This means that only 'proper' FTP TLS/SSL support can be
used, and for the life of me I cannot find a free Mac OS X FTP client
which supports it, only commercial ones. (Fetch doesn't support it.)
So I'm looking into pure-ftpd at the moment, as I think it can do the
implicit SSL form, but I'm not really happy implementing an abandoned
protocol, even considering all this stuff is at the draft stage.
Anyway, has anyone managed to come up with a decent secure remote
access solution? either a free OS X FTP client which supports TLS/SSL,
or any kind of encrypted control channel that works happily?
nigel
--
Nigel Kersten Systems Administrator
College of Fine Arts, UNSW Sydney, Australia.
CRICOS Provider Code: 00098G
