Solved

Ways to connect a windows box to a windows server share through ssh?

Posted on 2007-11-20
17
249 Views
Last Modified: 2010-04-21
Our windows desktops and servers are on two different networks with port 139 blocked. So simple file mapping cannot occur. However ssh is allowed.

Currently the only way I know how to map a drive to a windows share through ssh is:
-Create a ms loopback
-setup a putty session with an ssh server on the server network and tunnel 139 through that session.

This is extremely tedius, b/c for every mapped drive you have to setup an additional loopback. Anyone else have any other suggestions?
0
Comment
Question by:WinPE
  • 7
  • 7
  • 3
17 Comments
 
LVL 16

Expert Comment

by:Blaz
ID: 20320086
The first question would be why is port 139 blocked. Is there a good reason for that? You are trying to bypass this limitation so if there is a good reason for blocking port 139 there should be a good reason not to create bypasses...

Otherwise you can forward the port 139 (which I believe you are doing) but from a single computer you can only forward to one server (not only for one shared folder).

You could also use other copying software: ftp, sftp, ...
0
 

Author Comment

by:WinPE
ID: 20320312
Well they block 139 along with most major ports. Except for common ssh ports. ex 22.  If I could find evidence of an encypted cifs protocol on 445 I would, but I can't.

The problem here is we are a 95% unix/linux shop. In the past windows users had these ports opened to file share between the production world. Now that is turned off and I need to find the best/easiest possible way for these users to to still access production files from non production network desktops. If ssh tunneling through putty or winscp is the best way then so be it.


I guess I could always setup samba drop boxes inside the production network?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20322149
if you tunnel port 139 (and 137 probably too) to a server, there should be no need for more than one ssh connection
Could you please post your configuration (ssh command line:)
0
 

Author Comment

by:WinPE
ID: 20322248
that it though, were connecting to multiple servers. Somtimes up to 20, 20 loopbacks?

I'm using putty to tunnel the ssh
10.0.0.1:139           testserver.blah.com:139
0
 
LVL 16

Expert Comment

by:Blaz
ID: 20323745
What about using a VPN connection? You could use openVPN to connect the two sites through port 22 for example. http://openvpn.net/
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20326068
Blaz, the problem with all ssh tunneling is that you need a unique local port for each remote server, hence you may tunnel up to roughly 65000 remote servers's port 139, but each needs its unique local port.
I assume that WinPE cannot change stupid XP to user other port than 139 for SMB.
0
 
LVL 16

Expert Comment

by:Blaz
ID: 20326449
@ahoffmann: Yes I am aware of ssh port forwarding limitations - in the past I have successfully forwarded port 139 for windows file sharing over SSH and also forwarded this port with DNAT. I noted this limitation in my first post - effectively from one machine (or interface or IP) you can forward to only one server.

That is why I am suggesting to connect the two networks vith a VPN (which can run over SSH). With VPN you can connect two subnetworks together (all computer IPs with all the ports) over a single SSH session. As I have not used openVPN product before I am not sure if this can be done with it so please correct me if I am wrong.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20326512
ahh, I missed the point to connect the whole subnet ...
0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 

Author Comment

by:WinPE
ID: 20328220
Only a small part of our company needs to access these windows servers.. So I could change the port through the registry if its possible.

Could I map the port through a ipsec tunnel, when the two domains arent trusted? Guess im stuck with ssh. Most likely I will stick a windows drop box or a unix samba server at each major site... have the users ssh into that box either through a windows dameon or unix share and grab the files...  The rest of the files can be moved within the network to those shares.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20334065
if you have IPSec, then the networks are connected anyway, why would you then use ssh for tunneling?
0
 

Author Comment

by:WinPE
ID: 20334686
we could use ipsec,but the desktop domain and the production domain are different... and they arent trusted... So as far as I know, ipsec cant work across untrusted domains.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20335162
IPSec has nothing to do with domains (neither DNS nor window domains).
It just relies on IPs, its configuration and the keys you use.
0
 

Author Comment

by:WinPE
ID: 20383023
Theres no way to tie an sshd server into active directory for authentication right?
0
 
LVL 51

Accepted Solution

by:
ahoffmann earned 500 total points
ID: 20388124
you mean sshd on windoze?
On Unix/Linux sshd can be configured with pam modules which authenticates agains AD also, IIRC ...
0
 

Author Comment

by:WinPE
ID: 20388528
really? Can I configure sshd within cygwin to do this?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 20388661
cygwin is poor windoze, I doubt (but have to admit that I never tested ...)
0
 

Author Closing Comment

by:WinPE
ID: 31410120
copssh, will work in this situation for me..
0

Featured Post

Maximize Your Threat Intelligence Reporting

Reporting is one of the most important and least talked about aspects of a world-class threat intelligence program. Here’s how to do it right.

Join & Write a Comment

I know all systems administrator at some time or another has had to create a script to copy file from a server share to a desktop. Well now there is an easy way to do this in Group Policy. Using Group policy preferences is not hard. The first thing …
[b]Ok so now I will show you how to add a user name to the description at login. [/b] First connect to your DC (Domain Controller / Active Directory Server) SET PERMISSIONS FOR SCRIPT TO UPDATE COMPUTER DESCRIPTION TO USERNAME 1. Open Active …
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of configuring their Windows Server 2012 domain controller to synchronize its time with a trusted, external resource. Use Google, Bing, or other preferred search engine to locate trusted NTP …

707 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now