Secure Access For Web Hosting

Questions and discussion regarding the IT behind caves.org

Moderators: vtdarrell, Moderators

Secure Access For Web Hosting

Postby driggs » Jan 27, 2010 2:54 pm

Our grotto hosts a website on the www.caves.org servers, which I frequently update. I'm sitting here in a busy coffee shop on a wireless network, unable to push an update out because we may only update files using FTP, which sends the password in plain-text for anyone here to "sniff" out of the air.

Are there plans for secure SSH/SFTP access in the near future?
User avatar
driggs
NSS Hall Of Fame Poster
 
Posts: 495
Joined: Sep 12, 2005 9:40 pm
Location: State of Jefferson
Name: David A. Riggs
NSS #: 56189
Primary Grotto Affiliation: Monongahela
  

Re: Secure Access For Web Hosting

Postby vtdarrell » Jan 29, 2010 10:53 pm

Sorry I didn't reply to this thread sooner. I'm configured for email when others post to the IT Forum, but that doesn't appear to be working....

As for your question...

SSH access will probably never be an option.

SFTP is an option. I've tried to keep our server as close to baseline as possible so that I don't create a configuration that others would be lost trying to figure out (if I were hit by a bus). SFTP has several hoops to jump through.

It's more likely that we will move to an Apache DAV service because of the flexibility afforded concerning ACLs. Right now, we have to create a user on the linux box for FTP access. Apache DAV would relieve us of that requirement as users/passwords are completely controlled through all the standard Apache authnz methods. It's a part of a larger project, establishing a username/password for every member of the NSS so we can have a better method of dues payment. That project has been on hold as the NSS Office moves to new accounting software (of course, that project has been on the books for a while, but there's been a lot of movement in the last few months).
Darrell Wells
NSS IT Chairman
NSS# 55359
User avatar
vtdarrell
NSS IT Chair
 
Posts: 27
Joined: Nov 10, 2007 9:29 am
Location: Blacksburg, Va
Name: Darrell Wells
NSS #: 55359
  

Re: Secure Access For Web Hosting

Postby driggs » Jan 30, 2010 8:56 pm

vtdarrell wrote:SSH access will probably never be an option.

SFTP is an option. I've tried to keep our server as close to baseline as possible so that I don't create a configuration that others would be lost trying to figure out (if I were hit by a bus). SFTP has several hoops to jump through.

It's more likely that we will move to an Apache DAV service because of the flexibility afforded concerning ACLs. Right now, we have to create a user on the linux box for FTP access. Apache DAV would relieve us of that requirement as users/passwords are completely controlled through all the standard Apache authnz methods. It's a part of a larger project, establishing a username/password for every member of the NSS so we can have a better method of dues payment. That project has been on hold as the NSS Office moves to new accounting software (of course, that project has been on the books for a while, but there's been a lot of movement in the last few months).


I'm definitely not asking for SSH shell access, I just meant that SFTP is FTP wrapped in the SSH protocol.

If you're already adding system accounts in order to grant FTP access, I'd think it would be relatively easy to grant SFTP access as well. For example, I believe that you can set the users' shell to `rssh`, the restricted shell, and easily limit their account to SFTP and SCP access only; though you may need to stuff them into a chroot still.

The point is, however, that insecure FTP isn't even allowed in most industry; if a plan isn't even in place yet, it's definitely time for the IT Committee to start planning for some sort of secure access.
User avatar
driggs
NSS Hall Of Fame Poster
 
Posts: 495
Joined: Sep 12, 2005 9:40 pm
Location: State of Jefferson
Name: David A. Riggs
NSS #: 56189
Primary Grotto Affiliation: Monongahela
  

Re: Secure Access For Web Hosting

Postby Alex Sproul » Jan 30, 2010 9:26 pm

The point is, however, that insecure FTP isn't even allowed in most industry; if a plan isn't even in place yet, it's definitely time for the IT Committee to start planning for some sort of secure access.


Sign that guy up, Darrell, and get him to implement it! :pray:

Alex
Alex Sproul
NSS 8086RL/OS
User avatar
Alex Sproul
Frequent Poster
 
Posts: 91
Joined: Sep 7, 2005 12:58 pm
Location: Greenville, VA
Name: Alex Sproul
NSS #: 8086RL/OS
  

Re: Secure Access For Web Hosting

Postby vtdarrell » Feb 1, 2010 12:46 am

driggs wrote:Our grotto hosts a website on the http://www.caves.org servers, which I frequently update. I'm sitting here in a busy coffee shop on a wireless network, unable to push an update out because we may only update files using FTP, which sends the password in plain-text for anyone here to "sniff" out of the air.

Are there plans for secure SSH/SFTP access in the near future?


The Monongahela grotto now has sftp capabilities.

With that said... let me just add, it's more than just an rssh and chroot jail... Other considerations: uid/gid that Apache is running as, uid/gid that PHP is running as, uid/gid assigned to files when they're uploaded vs. when they are created by PHP (the ftpd daemon currently does a chown for you so that things like PHP work the way you expect them to).

You'll notice that when you login (via either ftp or sftp) that you now have an httpdocs directory. That's the only directory that is going to be delivered by the webserver for http://www.caves.org/grotto/mongrotto/.

I fully expect file/directory permissions to present some problems for PHP in this configuration. I'll try to work through them. We'll also have to redo how we calculate space for billing purposes... next weekend's project...

If anybody else out there that currently has hosted-io space on caves.org wants to test out sftp, drop me a note at admin@caves.org.
User avatar
vtdarrell
NSS IT Chair
 
Posts: 27
Joined: Nov 10, 2007 9:29 am
Location: Blacksburg, Va
Name: Darrell Wells
NSS #: 55359
  

Re: Secure Access For Web Hosting

Postby driggs » Feb 1, 2010 10:57 pm

I'd like to thank Darrell for coming up with a solution - more complete and graceful than the one that I suggested - and implementing it extremely quickly such that everything "just worked" on my first test! I don't think he has the administrative tools in place to roll things out for everyone yet, but it looks like brave guinea pigs are in excellent hands and need not hesitate to do things the Right Way while helping to test the configuration.

Alex, I offered my "services" to Darrell, but it sounds like he's out of my league and has this well under control!

THANKS!
User avatar
driggs
NSS Hall Of Fame Poster
 
Posts: 495
Joined: Sep 12, 2005 9:40 pm
Location: State of Jefferson
Name: David A. Riggs
NSS #: 56189
Primary Grotto Affiliation: Monongahela
  

Re: Secure Access For Web Hosting

Postby Alex Sproul » Feb 1, 2010 11:29 pm

I'd like to thank Darrell for coming up with a solution - more complete and graceful than the one that I suggested - and implementing it extremely quickly such that everything "just worked" on my first test!


:clap: :clap: :clap: :clap: :banana_yay: :banana: :clap: :clap: :kewl:

Alex, I offered my "services" to Darrell, but it sounds like he's out of my league and has this well under control!


:laughing: On Darrell's behalf, I accept your kind offer! He's way outa my league, too, which is why we need a half-dozen major-geek volunteers so he can take an occasional break.

Alex
Alex Sproul
NSS 8086RL/OS
User avatar
Alex Sproul
Frequent Poster
 
Posts: 91
Joined: Sep 7, 2005 12:58 pm
Location: Greenville, VA
Name: Alex Sproul
NSS #: 8086RL/OS
  

Re: Secure Access For Web Hosting

Postby driggs » Feb 8, 2010 1:13 pm

Both the WVUSG and MonGrotto websites are returning a 404 as of this morning, while other grottoes' websites return fine. When trying to SFTP to both accounts, my connection is immediately closed.

I checked a third grotto's account (FTP-only) and was able to log in and the site was served up fine by Apache.

I saw a "generic Apache test page" being served up for CaveChat this weekend, so there was obvious tweaking going on recently.

Please help ASAP!
User avatar
driggs
NSS Hall Of Fame Poster
 
Posts: 495
Joined: Sep 12, 2005 9:40 pm
Location: State of Jefferson
Name: David A. Riggs
NSS #: 56189
Primary Grotto Affiliation: Monongahela
  

Re: Secure Access For Web Hosting

Postby vtdarrell » Feb 8, 2010 2:07 pm

Your problem has been corrected.

In the process of getting everyone else set up for the move to sftp, I broke the early adopters' configuration (namely yours).
Darrell Wells
NSS IT Chairman
NSS# 55359
User avatar
vtdarrell
NSS IT Chair
 
Posts: 27
Joined: Nov 10, 2007 9:29 am
Location: Blacksburg, Va
Name: Darrell Wells
NSS #: 55359
  

Re: Secure Access For Web Hosting

Postby driggs » Feb 8, 2010 2:19 pm

vtdarrell wrote:Your problem has been corrected.

In the process of getting everyone else set up for the move to sftp, I broke the early adopters' configuration (namely yours).


Such is life on the edge.

Thanks for the speedy fix!
User avatar
driggs
NSS Hall Of Fame Poster
 
Posts: 495
Joined: Sep 12, 2005 9:40 pm
Location: State of Jefferson
Name: David A. Riggs
NSS #: 56189
Primary Grotto Affiliation: Monongahela
  


Return to IT Forum

Who is online

Users browsing this forum: No registered users

cron