1 |
Kai Krakow <hurikhan77@×××××.com> writes: |
2 |
|
3 |
> Am Sat, 29 Apr 2017 20:30:03 +0100 |
4 |
> schrieb lee <lee@××××××××.de>: |
5 |
> |
6 |
>> Danny YUE <sheepduke@×××××.com> writes: |
7 |
>> |
8 |
>> > On 2017-04-25 14:29, lee <lee@××××××××.de> wrote: |
9 |
>> >> Hi, |
10 |
>> >> |
11 |
>> >> since the usage of FTP seems to be declining, what is a replacement |
12 |
>> >> which is at least as good as FTP? |
13 |
>> >> |
14 |
>> >> I'm aware that there's webdav, but that's very awkward to use and |
15 |
>> >> missing features. |
16 |
>> > |
17 |
>> > What about sshfs? It allows you to mount a location that can be |
18 |
>> > accessed via ssh to your local file system, as if you are using |
19 |
>> > ssh. |
20 |
>> |
21 |
>> Doesn't that require ssh access? And how do you explain that to ppl |
22 |
>> finding it too difficult to use Filezilla? Is it available for |
23 |
>> Windoze? |
24 |
> |
25 |
> Both, sshfs and scp, require a full shell (that may be restricted but |
26 |
> that involves configuration overhead on the server side). |
27 |
|
28 |
I wouldn't want them to have that. |
29 |
|
30 |
> You can use sftp (FTP wrapped into SSH), which is built into SSH. It |
31 |
> has native support in many Windows clients (most implementations use |
32 |
> PuTTY in the background). It also has the advantage that you can |
33 |
> easily restrict users on your system to SFTP-only with an easy |
34 |
> server-side configuration. |
35 |
|
36 |
From what I've been reading, sftp is deprecated and has been replaced by |
37 |
ftp with TLS. |
38 |
|
39 |
>> > Also samba can be a replacement. I have a samba server on my OpenWRT |
40 |
>> > router and use mount.cifs to mount it... |
41 |
>> |
42 |
>> Does that work well, reliably and securely over internet connections? |
43 |
> |
44 |
> It supports encryption as transport security, and it supports kerberos |
45 |
> for secure authentication, the latter is not easy to setup in Linux, |
46 |
> but it should work with Windows clients out-of-the-box. |
47 |
> |
48 |
> But samba is a pretty complex daemon and thus offers a big attack |
49 |
> surface for hackers and bots. I'm not sure you want to expose this to |
50 |
> the internet without some sort of firewall in place to restrict access |
51 |
> to specific clients - and that probably wouldn't work for your scenario. |
52 |
|
53 |
At least it's a possibility. I don't even know if they have static IPs, |
54 |
though. |
55 |
|
56 |
> But you could offer access via OpenVPN and tunnel samba through that. |
57 |
|
58 |
I haven't been able yet to figure out what implications creating a VPN |
59 |
has. I understand it's supposed to connect networks through a secured |
60 |
tunnel, but what kind of access to the LAN does someone get who connects |
61 |
via VPN? Besides, VPN is extremely complicated and difficult to set |
62 |
up. I consider it an awful nightmare. |
63 |
|
64 |
Wireguard seems a lot easier. |
65 |
|
66 |
> By that time, you can as easily offer FTP, too, through the tunnel |
67 |
> only, as there should be no more security concerns now: It's encrypted |
68 |
> now. |
69 |
|
70 |
The ftp server already doesn't allow unencrypted connections. |
71 |
|
72 |
Now try to explain to ppl for whom Filezilla is too complicated how to |
73 |
set up a VPN connection and how to secure their LAN once they create the |
74 |
connection (if we could ever get that to work). I haven't been able to |
75 |
figure that out myself, and that is one of the main reasons why I do not |
76 |
have a VPN connection but use ssh instead. The only disadvantage is |
77 |
that I can't do RDP sessions with that --- I probably could and just |
78 |
don't know how to --- but things might be a lot easier if wireguard |
79 |
works. |
80 |
|
81 |
> OpenVPN also offers transparent compression which can be a big |
82 |
> plus for your scenario. |
83 |
|
84 |
Not really, a lot of data is images, usually JPEG, some ZIP files, some |
85 |
PDF. All that doesn't compress too well. |
86 |
|
87 |
> OpenVPN is not too difficult to setup, and the client is available for |
88 |
> all major OSes. And it's not too complicated to use: Open VPN |
89 |
> connection, then use your file transfer client as you're used to. Just |
90 |
> one simple extra step. |
91 |
|
92 |
I'm finding it a horrible nightmare, see above. It is the most |
93 |
difficult thing you could come up with. I haven't found any good |
94 |
documentation that explains it, the different types of it, how it works, |
95 |
what to use (apparently there are many different ways or something, some |
96 |
of which require a static IP on both ends, and they even give you |
97 |
different disadvantages in performance ...), how to protect the |
98 |
participants and all the complicated stuff involved. So far, I've |
99 |
managed to stay away from it, and I wouldn't know where to start. Of |
100 |
course, there is some documentation, but it is all confusing and no |
101 |
good. |
102 |
|
103 |
The routers even support it. In theory, it shouldn't be difficult to |
104 |
set up, but that's only theory. They do not have any documentation as |
105 |
to how to protect the connected networks from each other. I could |
106 |
probably get it to work, but I wouldn't know what I'm doing, and I don't |
107 |
like that. |
108 |
|
109 |
|
110 |
I admit that I don't really want to know how VPN works because it's |
111 |
merely an annoyance and not what I need. What's needed is a simple, |
112 |
encrypted connection between networks, and VPN is anything but that. |
113 |
|
114 |
Wireguard sounds really simple. Since I need to set up a VPN or |
115 |
VPN-like connection sooner than later, I'm considering using it. |
116 |
|
117 |
|
118 |
-- |
119 |
"Didn't work" is an error. |