New "non-official" addon - SSH Folders

Hello everyone.

A client of mine (a consulting firm) asked me if there was a way to simplify the process of receiving documentation from their clients (the firm’s client companies) without setting up a VPN. They would configure a VPN on the client’s end with their certificate or WireGuard, and then grant access to a location where the documentation (invoices, etc.) could be stored. This led me to create something to make this process as easy as possible.

Let me explain. Some might consider this a security breach (constructive criticism is welcome), but I thought of going a step beyond Samba using SSH.

The idea is to set up an HDD/SSD using ExtraHD and then create Global Users. These users could have access to all the company folders, or they could have access only to certain folders, by assigning them specific access roles. These users would be the ones used by my client (the consulting firm).

Next, in “Add Company,” create the folders corresponding to my client’s client companies and create users within those folders. (A user created in this section will only be able to access that folder with the established roles.) These users created here would be used by the consulting firm’s clients.

To take it a step further, I’ve created non-secure access via “username/password” so the consulting firm can manage this without having to access the IPFire console. (https://ip_ipfire:444/sshfolders) with the downloaded files for the Windows application to map these SSH drives.

It seems complicated, but I’ve tried to make it as simple as possible, and as always, I’ve ensured that nothing in IPFire is affected by future updates.

If you want to try it, download the file, extract it to /tmp, for example, and run ./install.sh.

The page is available in Spanish, English, German, French, and Italian at IPFire → SSH Folders.

To access the client console without logging in: https://ip_ipfire:444/sshfolders

I don’t know how to attach this file to the thread. Here’s a link to download it:

http://northsecure.es/Varios/sshfolders.ipfire.tgz

I hope you try it and give your feedback.

Regards.

I’ve added a feature that I think is a good thing, since accessing the Public area without a password was very insecure.

Now, Global Users with the Administrator role can access the public area with the same credentials. This way, this configuration isn’t as vulnerable to unauthorized changes.

To apply the change, uninstall and reinstall.

Bye.

Hi,

I had the chance to try your component on a test machine, and I have to say the idea behind it is really interesting. It’s clear that a lot of effort and work went into the project.

That said, based on how I usually manage systems, I personally wouldn’t use it on a machine exposed directly to the internet, mainly due to some security and management considerations.

I also think that, with a few small changes and by revising some parts, it could become even clearer and easier to use for those who adopt it.

In any case, thank you for the work you’ve shared and for contributing to the community.

Hi @tratru.

Thanks for trying it. You can leave SSH open to the internet by limiting the rules by country and time, or use OpenVPN or WireGuard if you don’t want to expose your SSH connection.

I think it’s not complicated to use once you get the hang of it. Global Users are for your access, for example, and the Users created in the Company folders are to facilitate access for Client Users.

Imagine you install this add-on in a consulting firm. Global Users are for access by the firm’s employees, and the Users created in the folders are for access by the firm’s clients so they can upload documents for the firm to manage.

Thanks again for your feedback. It’s very valuable to me.

Hi, I understand your point correctly.
If I need to use a VPN, I can make sure users can reach a NAS on the local network, for example.

That’s right, a NAS is another option, but it involves more complexity in creating folders and permissions that a consultant’s manager isn’t going to learn (QNAP, Synology, etc.). Besides, there’s the increased cost…

This add-on I’ve created is so incredibly simple that any employee at this supposed consulting firm could manage it without you or the IT department having to intervene every other day.

Everyone is free to adopt the devices and security measures they deem appropriate, but the most important thing is having alternatives available. This is one of them.

Also, it’s worth noting that this is an add-on designed to facilitate document sharing. It’s not designed for document storage (although it allows it, it lacks a native backup, which can be done with third-party tools).

Have you tried the latest version? It has access credentials for the public area.

In fact, I find your component interesting, but as I said, I wouldn’t use it for an internet-facing system, for many reasons.
But as you said, having an alternative and knowing that it’s possible is always helpful.
I tried the version you published and downloaded the package this afternoon.

Alternatively, without these clients from this supposed static public IP consultancy, you can create the firewall rule with this IP group or use my other add-on for firewall DynDNS resolution.

Here it is: Firewall_Dynamic addon

These are options. Everyone should use them according to their needs or criteria.

In any case, thank you for trying it and giving your valuable feedback.

Hola a todos!!!.

@tratru, I’ve been considering adding more security to the add-on and have implemented “Public key authentication.” Now, external connections can be configured using this system. This will make it much harder to attack using brute force.

Download link:
http://northsecure.es/Varios/sshfolders-v2.ipfire.tgz

Try it out and let me know if you see any areas for improvement.

Thanks for your feedback.

Exposing IPfire with an open https connection to the internet is not a good idea.
It’s definitely more secure to set up a dedicated machine in the DMZ (Orange) and provide VPN-based access.
It’s also important that the rules prevent communication from the DMZ to the internal network.
The rule should only be from the internal network to a machine in the DMZ network.
I recommend reading:

The idea is for the firewall to be a transit with rules to the target machine.

Vulnerabilities to the https protocol appear from time to time.
This is, of course, my opinion.

Thanks, Roberto.
I tried your component with the addition of the public signature.
From what I’ve tested, it’s significantly better than before.
Thanks for all the work you’ve done.
Umberto

@alexand also my opinion…. 100% agreed. Have never understood why folks want IPF to do anything other than good firewalling. Each to their own I guess…. and I respect that.

Hello.

I’ve applied a fix to the latest version v2, as in the public area, the Administrator (or User with Administrator privileges) couldn’t change the authentication method.

Also, a cosmetic improvement: for Users created within folders/companies, unnecessary fields are now hidden when the “Password” or “Public Key” authentication method is selected (to avoid confusion).

Bye.

Good morning.

I’ve applied various security patches to the add-on, and now, “supposedly, it’s secure.” I’ve run an audit with Claude AI, and the result was excellent.

So, unless someone reports a bug, I’m assuming it’s safe.

http://northsecure.es/Varios/sshfolders-final.ipfire.tgz

Thank you all for your opinions and tests, especially @tratru for their interest.

Have a great weekend!