Secure? Samba over internet

[Chris Watt]

I'd like comments (suggestions, improvements, messages that start with "you
moron you forgot that. . .") on the following horrible dirty kludge to make
a (nearly, with any luck) un-hackable set of shares available to specific
users on the internet.
On the Server, initially all packets bound for port 139 are rejected as the
default policy.
The server is connected to the internet full time on a static IP.

I (Joe User) am kicking around somewhere in the big wide world with a PC
and an internet connection of some kind (we assume I have a "real" ip
address, but no telling in advance what it may be). I also have access to a
3'rd party POP account.
I use a script on my PC to automatically write a message like:
"The time is now 08:58:21 GMT and I'd like access as user joeuser from
123.123.123.123"

The script then calls PGP to sign the message with my private key
(prompting me for the passphrase, none of this stored passphrase
mumbo-jumbo) and when that operations terminates successfully it encrypts
the message with my server's private key and mails the message through my
POP account to an account like "samba_auth at server.somedomain" on the server.

The server receives and decrypts the e-mail, validates the signature, and
if everything checks out compares the time given in the message to the
current system time. If the message is less than 20 mins old (somebody else
may have Joe's current IP later on, but we must allow for inaccurate clocks
and processing time) the server does something like:

ipfwadm -I -a accept -D $SERVER_IP 139 -V $SERVER_IP -P tcp -S $IP_FROM_EMAIL

and possibly alerts Joe User in some fashion to tell me that my request has
been processed.

Joe User then successfully sync's his clock with the server, maps his home
directory to drive X: and plays with his favorite M$ program until it
crashes. A few minutes after connecting then he's finished, and he
disconnects. The configuration for the joeshome share in smb.conf contains
the line:

root postexec ipfwadm -I -d accept -D $SERVER_IP 139 -V $SERVER_IP -P tcp
-S %I

One thing I am unsure about is the ability of this system to withstand an
attempt by Joe User's remote ISP to gain access to Joe's account while he
is online. If you can answer the following questions I'd love to hear from
you:
1. If the ISP suddenly re-assigned Joe's IP address to one of their own
machines, would the postexec command be called and cut them off before they
could access Joe's files? Or would it have to wait until deadtime (or some
other timeout) killed Joe's inactive connection?

2. Is it possible that they (or somebody in between) could establish a
connection without breaking Joe's connection?

3. Can you think of any way to fake an access request message without
physical access to Joe's PC and his passphrase?

4. Can you think of a practical way to better automate the connection
process so that when the server has created the accept rule for Joe's IP it
will also do something to cause Joe's PC to realise that the process is
complete and it can now connect?

5. Does this system have blatantly obvious weak points that I've totally
missed?

6. Is there a simpler way to achieve the same basic effects (i.e.
establishing secure one-time samba access from an arbitrary IP address)?

6. Is it reasonable to assume that (unless the machine is rebooted, which
would clear the firewall rules anyway) the postexec line is certain to
execute at some point? Or would it be a good safety precaution to run a
cron job to remove all the rules that could have been created by this
process on a regular basis?

7. What problems might I encounter vis-a-vie NetBIOS and DNS? (Yes, save
the worst for last ;) I'd _guess_ that this would not be a problem, as "net
view \\$SERVER_IP" seems to work just fine on M$ systems which are allowed
to communicate with the server, and with any luck the server does not
actually need to know the netbios name that the client thinks it has or be
able to resolve that to an ip with dns. . . Right?
Failing that assumption, can anyone think of a slick way to tell samba that
$IP_FROM_EMAIL is JoesBox without restarting samba? (bringing up questions
about when/how lmhosts is used. . .)
--

Q:      What's tiny and yellow and very, very, dangerous?
A:      A canary with the super-user password.