LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Networking (http://www.linuxquestions.org/questions/linux-networking-3/)
-   -   employee@home (http://www.linuxquestions.org/questions/linux-networking-3/employee%40home-4175441237/)

dgermann 12-12-2012 11:14 PM

employee@home
 
Hi--

A new employee, E, will be working from home. Production environment.

What is the most securce and elegant way to set up a network to allow E to log in to the server?

Main office: server is Ubuntu 12.04.1 LTS, serving up Samba shares to a half dozen Ubuntu 12.04.1 boxes and an Win XP Pro box. Desktops running LibreOffice and some vintage Windows things via Remmina. Connection is cable behind a router.

E's computer: will probably be Xubuntu 12.04 LTS. Connection is DSL behind a router.

I am thinking I want some sort of an ssh tunnel. I have done an ssh tunnel to a proxy server using tsocks, so I wonder if this would be similar?

Or is there a better way than ssh? Or in addition to ssh?

Thanks!

acid_kewpie 12-13-2012 04:05 AM

Well ssh is not the most secure or elegant, but it would probably work very well with just about zero setup, especially on the client side. The biggest issue on that side would be their identification and authentication. Can you / would you want to restrict them to known IP addresses? Only a few users? Enforce key based authentication? two factor?

Using the SSH transport, nx might be a good solution for remote desktop access.

nikmit 12-13-2012 10:58 AM

The textbook solutiuon (and the most common one) is a VPN. Setting up a VPN between two Linux boxes is simple and costs nothing. It can put your remote machine on the same network as your office, so the remote user can work as if in the office as far as network connection is concerned.

I have found OpenVPN to be easier to configure than StronSwan, however the latter is standard based and can work with a larger range of devices, not just Linux computers.

dgermann 12-16-2012 05:55 PM

acid_kewpie and nikmit--

Thanks for helping me!

Forgive me for being so long in getting back to you. I obviously need the help of an additional employee, since I was too busy to get back to you until now! :)

Wasn't aware of security issue with ssh. What's the thumbnail on that?

I generally try to make things as secure as I can. So yes, I would restrict to a particular ipaddress, and only one person would get in through the firewall.

By "key" I suspect you mean gpg, but that I have not figured out yet. Or perhaps you mean key generation under ssh (I see there is an ssh-keygen which looks like less of a learning curve than gpg)?

What do you mean by two factor?

I have kind of ruled out vpn, since that means we would need a dedicated machine in the office for the person to take over that desktop. VPN is only for controlling an "inside" desktop, yes?

Plus, I see vpn as just more computer overhead and slowing of the work through-put, because it goes through two computers. What I want is for E to pull the samba share files up on his computer, and work on them directly there, while the files stay on the server here.

Thanks acid_kewpie and nikmit!

acid_kewpie 12-17-2012 04:08 AM

two factor is using a key fob or other one time password technique. Ideally you shouldn't be opening yourself up to brute force attacks, and if all accounts that are able to log in have constantly changing passwords, you'll never risk being subject to a brute force password attack. the simpler alternative over ssh is a preshared key, not gpg at all, which replaces the password with a digital signature, meaning it's impossible to log in without that key file on the client.

VPN's are absolutely NOT for taking over a machine, they are how you make a remote machine appear to be on a local network. The provide a direct network connection between two remote networks, and this would be the classic default way you would do what you want.

evgenyz 12-17-2012 09:07 AM

The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.

acid_kewpie 12-17-2012 09:19 AM

Quote:

Originally Posted by evgenyz (Post 4850908)
The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.

sounds pretty contrived. There are plenty of ssh clients for Android and the likes, just log in on your phone...

evgenyz 12-17-2012 09:34 AM

That's correct, but what you are going to do with mobile ssh client if your organization prevents ssh connection?
In the contrary, the email port is always open...

acid_kewpie 12-17-2012 09:36 AM

smtp might be open, but having a dedicated system behind it to process email for this... blimey.

evgenyz 12-17-2012 09:45 AM

Quote:

smtp might be open, but having a dedicated system behind it to process email for this... blimey
It's not a dedicated system...
The configuration is pretty smart and not requires any smart phone client.
Again, it's not a replacement, it's just complementary way for inexpensive communication with the server side. Even if you have a Mercedes in your garage, some times you prefer to use bike...
I't just a matter of situation...

doublequote 12-17-2012 11:21 AM

Just to mention a few email based tools: RECEME, RemoteByEmail, GCALDaemon and now this alessoft.
I agree with evgenyz: it's good complementary solution.

dgermann 12-17-2012 11:19 PM

Wow folks! You are sending me back to the books to look into VPN, for sure.

I do not understand the email and smart phone stuff--perhaps because I do not have a smart phone and do not see the use of one for accessing a network and doing work on Libre Office or a spreadsheet. Seems cumbersome to me. Also sounds to me from your "the email port is always open" that E's machine would have to be set up to be an email server, which we would not do. (Which points up the necessity to lock down this machine strongly, too.)

For VPN, I had pictured how I use it: using remmina to login to a Win machine for an app not on Linux.

I like the idea of a pre-shared key, and I suppose you connect that with your key fob point, and give E a thumb drive with that key on it (wonder if there is a way to make that not able to be copied?), which if I can get E to remove it when not at the machine, would add a layer of security.

Thanks very much for all your help, acid_kewpie, evgenyz, and doublequote!

dgermann 12-17-2012 11:24 PM

Well that remote by mail stuff is scary!

I will need to make sure there is no email allowed in or out on the computer I provide to E. E can use E's own computer for email, which should not be necessary for E's work.

Thanks for putting me on to this!

evgenyz 12-18-2012 05:07 AM

It's scary only if you use the "home made" solution. If you use commercial tool it probably solves all seccurity and configuration issues.
But this is only one of a several ways. Just be aware of the existence of different access methods and choose what is right for you.

dgermann 12-18-2012 10:47 PM

Thanks, evgenyz!

I've got lots of reading to do on vpns!


All times are GMT -5. The time now is 11:12 AM.