The premise
I've been tasked with finding a solution to the following scenario:
- our main file server is a Linux machine.
- on the LAN, users simply access the files using SMB.
- each user has an account on the file server and his/her own access rights.
- user accounts are simple passwd/group security accounts, not NIS/LDAP.
The problem
We want to give users (or at least some of them, say if they belong to a particular group) the ability to access the files from the Internet while travelling.
Ideally
- I'd like a seamless solution. Maybe something that allows the user to access a mapped drive would be ideal.
- A web-oriented solution is also good but it should present files in a way that is familiar to users, in an explorer-like fashion for instance.
- Security is a must of course, and users would be expected to log-in.
The connection to the server should also be encrypted.
Anyone has some pointers to neat solutions?
Any experiences?
Edit
The client machines are Windows only.
OpenVPN will make you very, very happy, I think. It's pretty easy to setup with static keys for testing and playing around, and only marginally more difficult to setup with certificates when you're ready to go into production.
You can require logins on the clients via your server's PAM (and thus your /etc/passwd file), in addition to either static keys or certificates, by using the "auth-pam.pl" script provided and the "auth-user-pass" directive in your client configurations.
The OpenVPN GUI for Windows is very nice, so if your clients have Windows machines it won't be a jarring command line-based experience.
All-in-all, I've been very pleased with OpenVPN.
Have you considered WebDAV ? IIS has support along with NTLM authentication, on the client side you can use the Webfolders extensions built into Explorer since XP.
What about sshfs? That would take care of the requirements for passwords & encryption as well as the mapped drive type access.
If users already have accounts on the file server then it shouldn't require too much work to implement it on that end.
Your best option is to set up a VPN solution for your clients. This will satisfy all of the requirements that you specify. The connection will be encrypted, clients will only have to map a drive just like they were in the office, they would still have access to everything else on your network just as if they were in the office. The only thing they would need to learn is how to log in to the VPN which is trivial.
Xythos shared document management is a nice solution. Cost depends on setting, install size, etc, but it's a web interface with folder structure very familiar to Windows users. Many features available.
To answer my own question.
Apart from creating a VPN, the best solution I have found so far was to use WinSCP as a way to securely access the fileserver without opening the whole internal network.
Properly configured, WinSCP can look just like the familiar Windows explorer; it becomes easy to work on files, even allowing double-click to edit a file (the file is downloaded to a local temp directory, then automatically uploaded back when you save or close it).
The main issues are that out of the box:
bashorsh) will expose the complete server file-system instead of just the data or home directories.Both are easy enough to fix though:
inifile that can then easily be deployed.MySecureShellthat has various configuration settings to control the visibility of the files accessible to the user.You haven't said what OS the clients have. In the case of Windows clients at least you can map a drive letter to an FTP connection. Perhaps similar can be done with Linux.
You can install PopTop on the server, and use Windows built-in VPN software (PPTP).