So I'm looking for a way to give my students remote access without
using sftp/scp as due to the way our directory structure is laid
out, I can't feasibly chroot them when using an scponly style shell.
(Yes, I do know the arguments about chroot being a false sense of
security. No, I don't want to get into that debate)
For various reasons I'm not opening up SMB access to the world, if I
want students to use SMB for remote access I'd have to implement a
VPN, and firstly we don't have a hardware VPN device here, and
secondly I'm not entirely happy with the level of complexity that
would bring to the situation.
So I've started looking at Kerberized FTP, mainly because the lovely
people at Fetch have free licences for education, and it has
Kerberos support.
The main problem I'm having with the OS X Server ftp daemon when set
to be Kerberized is that it doesn't seem to work happily behind your
average consumer NAT firewall/router that most of my students are
on. This appears to be a general problem with GSS and FTP that a lot
of people run into.
The other thing is that the OS X Server ftp daemon doesn't support
encrypting the data channel. This isn't such a huge stress, as it's
mainly the authentication channel that I'm concerned with protecting.
So I started experimenting with proftpd with LDAP and TLS/SSL
support. (If anyone has managed to get GSS support working with
Fetch and proftpd, I'd be keen to hear from you, as I couldn't get
this working, and proftpd has patches to work around the NAT issue).
This all works fine, but the problem I now have is that proftpd
doesn't support the now abandoned "implicit SSL" method for securing
FTP. The author has detailed why he has done this, and I'm ok with
that, it makes sense. This means that only 'proper' FTP TLS/SSL
support can be used, and for the life of me I cannot find a free Mac
OS X FTP client which supports it, only commercial ones. (Fetch
doesn't support it.)
So I'm looking into pure-ftpd at the moment, as I think it can do
the implicit SSL form, but I'm not really happy implementing an
abandoned protocol, even considering all this stuff is at the draft
stage.
Anyway, has anyone managed to come up with a decent secure remote
access solution? either a free OS X FTP client which supports
TLS/SSL, or any kind of encrypted control channel that works happily?
nigel
--
Nigel Kersten Systems Administrator
College of Fine Arts, UNSW Sydney, Australia.
CRICOS Provider Code: 00098G
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Macos-x-server mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
http://lists.apple.com/mailman/options/macos-x-server/email@hidden
This email sent to email@hidden
