employee@home

dgermann · 12-12-2012, 10:14 PM

Hi--

A new employee, E, will be working from home. Production environment.

What is the most securce and elegant way to set up a network to allow E to log in to the server?

Main office: server is Ubuntu 12.04.1 LTS, serving up Samba shares to a half dozen Ubuntu 12.04.1 boxes and an Win XP Pro box. Desktops running LibreOffice and some vintage Windows things via Remmina. Connection is cable behind a router.

E's computer: will probably be Xubuntu 12.04 LTS. Connection is DSL behind a router.

I am thinking I want some sort of an ssh tunnel. I have done an ssh tunnel to a proxy server using tsocks, so I wonder if this would be similar?

Or is there a better way than ssh? Or in addition to ssh?

Thanks!

acid_kewpie · 12-13-2012, 03:05 AM

Well ssh is not the most secure or elegant, but it would probably work very well with just about zero setup, especially on the client side. The biggest issue on that side would be their identification and authentication. Can you / would you want to restrict them to known IP addresses? Only a few users? Enforce key based authentication? two factor?

Using the SSH transport, nx might be a good solution for remote desktop access.

nikmit · 12-13-2012, 09:58 AM

The textbook solutiuon (and the most common one) is a VPN. Setting up a VPN between two Linux boxes is simple and costs nothing. It can put your remote machine on the same network as your office, so the remote user can work as if in the office as far as network connection is concerned.

I have found OpenVPN to be easier to configure than StronSwan, however the latter is standard based and can work with a larger range of devices, not just Linux computers.

dgermann · 12-16-2012, 04:55 PM

acid_kewpie and nikmit--

Thanks for helping me!

Forgive me for being so long in getting back to you. I obviously need the help of an additional employee, since I was too busy to get back to you until now!

Wasn't aware of security issue with ssh. What's the thumbnail on that?

I generally try to make things as secure as I can. So yes, I would restrict to a particular ipaddress, and only one person would get in through the firewall.

By "key" I suspect you mean gpg, but that I have not figured out yet. Or perhaps you mean key generation under ssh (I see there is an ssh-keygen which looks like less of a learning curve than gpg)?

What do you mean by two factor?

I have kind of ruled out vpn, since that means we would need a dedicated machine in the office for the person to take over that desktop. VPN is only for controlling an "inside" desktop, yes?

Plus, I see vpn as just more computer overhead and slowing of the work through-put, because it goes through two computers. What I want is for E to pull the samba share files up on his computer, and work on them directly there, while the files stay on the server here.

Thanks acid_kewpie and nikmit!

acid_kewpie · 12-17-2012, 03:08 AM

two factor is using a key fob or other one time password technique. Ideally you shouldn't be opening yourself up to brute force attacks, and if all accounts that are able to log in have constantly changing passwords, you'll never risk being subject to a brute force password attack. the simpler alternative over ssh is a preshared key, not gpg at all, which replaces the password with a digital signature, meaning it's impossible to log in without that key file on the client.

VPN's are absolutely NOT for taking over a machine, they are how you make a remote machine appear to be on a local network. The provide a direct network connection between two remote networks, and this would be the classic default way you would do what you want.

evgenyz · 12-17-2012, 08:07 AM

The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.

acid_kewpie · 12-17-2012, 08:19 AM

Quote:

Originally Posted by evgenyz

The most securce and elegant way to set up a network to allow E to log in to the server is definitely a VPN connection.
However, for one working from home it's happen to be out of his desk for a while (shopping, banking etc). From my experience I know that the most critical problems are happen when I'm out of my desk (Murphy's law).
I examine now email-to-application communication tool which allows men-to-application communication from any smart phone device using encrypted email messages.
Using such tool, you can react faster to system events or at least provide the "first line of response" until you came back to your desktop and establish VPN connection with the server.

sounds pretty contrived. There are plenty of ssh clients for Android and the likes, just log in on your phone...

evgenyz · 12-17-2012, 08:34 AM

That's correct, but what you are going to do with mobile ssh client if your organization prevents ssh connection?
In the contrary, the email port is always open...

acid_kewpie · 12-17-2012, 08:36 AM

smtp might be open, but having a dedicated system behind it to process email for this... blimey.

evgenyz · 12-17-2012, 08:45 AM

Quote:

smtp might be open, but having a dedicated system behind it to process email for this... blimey

It's not a dedicated system...
The configuration is pretty smart and not requires any smart phone client.
Again, it's not a replacement, it's just complementary way for inexpensive communication with the server side. Even if you have a Mercedes in your garage, some times you prefer to use bike...
I't just a matter of situation...

doublequote · 12-17-2012, 10:21 AM

Just to mention a few email based tools: RECEME, RemoteByEmail, GCALDaemon and now this alessoft.
I agree with evgenyz: it's good complementary solution.

dgermann · 12-17-2012, 10:19 PM

Wow folks! You are sending me back to the books to look into VPN, for sure.

I do not understand the email and smart phone stuff--perhaps because I do not have a smart phone and do not see the use of one for accessing a network and doing work on Libre Office or a spreadsheet. Seems cumbersome to me. Also sounds to me from your "the email port is always open" that E's machine would have to be set up to be an email server, which we would not do. (Which points up the necessity to lock down this machine strongly, too.)

For VPN, I had pictured how I use it: using remmina to login to a Win machine for an app not on Linux.

I like the idea of a pre-shared key, and I suppose you connect that with your key fob point, and give E a thumb drive with that key on it (wonder if there is a way to make that not able to be copied?), which if I can get E to remove it when not at the machine, would add a layer of security.

Thanks very much for all your help, acid_kewpie, evgenyz, and doublequote!

dgermann · 12-17-2012, 10:24 PM

Well that remote by mail stuff is scary!

I will need to make sure there is no email allowed in or out on the computer I provide to E. E can use E's own computer for email, which should not be necessary for E's work.

Thanks for putting me on to this!

evgenyz · 12-18-2012, 04:07 AM

It's scary only if you use the "home made" solution. If you use commercial tool it probably solves all seccurity and configuration issues.
But this is only one of a several ways. Just be aware of the existence of different access methods and choose what is right for you.

dgermann · 12-18-2012, 09:47 PM

Thanks, evgenyz!

I've got lots of reading to do on vpns!