Help with corporate IT diplomacy

[zahc]

I know some people work in IT and many people have jobs, so I'm looking for advice.

I'm all about team playing and communication. At work there is a need to transmit procedures, info briefs and notes to those who may be concerned. There is no secrecy requirement; sharing knowledge is valued, it's just not taken seriously. The 'system' is to send documents and procedures out on email lists. These are not 'stored' anywhere they are just generated and emailed out to serve some immediate need and if people want to refer to them later they have to retain them, the latest version no less, individually. This makes it hard for people unrelated to the current immediate need to benefit from this info unless someone forwards it to them, and it's impossible to search through these documents since there's no central place to search. There are some shared drives where people plop these and everyone can drill down through 67 levels of shared drives and proprietary documents and just know 'where' a document may be stored, going only by file names, but the point is, this results in people not knowing that a document/procedure exists in the first place, and there is much duplication. Many engineers hoard a stash of procedures on their local machine or stored in their giant inbox and will freely help with the best intentions, but you still need to know who to ask if you are wondering if a procedure is already out there.

I got tired of telling people "there is a procedure for this already that we sent out last year, here let me go find it and re-email it out again". There is this new thing called the Internet, so I wrote a website as a central information storehouse, with hyperlinks and stuff, and ported many core procedures to HTML. So our procedures can be all there, and kept up-to-date, and you can access it from anywhere in the facility, and search. So now when the group needs to send out a procedure I can just pop it on the website, pictures and all, and send the link out to those who need it. And it will stay there on the website, and be searchable in 5 years, and save much space on the email server.

I needed a place to host so I submitted an IT ticket requesting a hosting spot, and I requested a unix server because that's all I know. They gave me access to a virtual red hat server somewhere on the corporate network, and some Nice IT Guy from the unix group helped me with getting a unix password and ssh access, and there was much rejoicing. I uploaded my site, edited and tweaked it for about a week.

Then I got a call from the Nice IT Guy saying that my ssh access was revoked. I'm told that the only way I am permitted to access the server is through VNC. No reason is given. He even called back later to 'ask' me to log out of my current ssh session (yes, I was in the process of hot-swapping in a UPS so I could maintain my current session forever). I get the feeling that nice IT guy almost got in trouble over giving me ssh access.

I'm perfectly happy administering the site with ssh and scp, and need it. I have "upload and link this page to the website" scripts. Without scp they don't work. Having to start a VNC application just to get to the server's gui just to launch a terminal just to fix a *&%# typo or upload a new image is annoying, and makes my scripts not work, and makes the site much less useful for its intended dynamic purpose.

It seems like I'm at their mercy, but on the other hand I'm the customer, and I'm trying to get work done here, and it seems like I'm asking for a pretty simple thing. I am considering calling nice IT guy's boss to explain my situation and try to negotiate for what I asked for in the first place, but I have little experience with corporate IT policies and egos and I don't want to get Nice IT Guy in trouble.

[mtnbkr]

You need to write up a business case that lays out the need for the server, how it benefits the organization, who will manage the system, costs involved (don't forget labor in terms of man hours), etc. 

Chris

[zahc]

Is it harder to manage the server if I have ssh access?

The (virtual) server already exists and has other users; there's one other small website already on it from some other user, and many home directories. The server space is apparently already existent and budgeted for, and they were willing to provide me the server space and bandwidth. Except that by my definition they aren't providing me with it, because the only access I'm allowed to have is through VNC. The question is, why won't they let me log into the account they already gave me, through ssh. I have no need for ssh access from without the corporate network, just from my local machine on the network. And isn't ssh more secure than VNC anyway? I've already proven that it's possible to set up because Nice IT Guy did it for me already.

I'm just looking for help understanding, from people who do IT administration themselves.

I may be able to rewrite my scripts on the server to use ftp to copy files from my local machine somehow...but I asked for ssh access and got it for a week and was shut down...why. It no senses.   

[Hawkmoon]

Dropbox: https://www.dropbox.com/

Screw IT. IT is not your friend.

[mtnbkr]

Dropbox is external and may violate policy.

You having SSH access doesn't make it harder for IT to manage.  It shouldn't matter.

As for the existing server, I assumed your helpful IT guy carved it out of existing space and didn't properly allocate it to you.  If they're providing people with space, then you just need to find out why VNC is required and SSH is verboten.  That doesn't make any sense to me either.

Chris

[41magsnub]

I wonder if the IT folks are freaking out now that there is a server on the network doing things outside of their official purview... an "end user" managing a server that they are ultimately responsible for.  There could be concern that this "rogue" server hosts data outside of the accepted systems It provides.

I'm not sure how SSH would play into that, unless they are concerned about your ability to directly write data to this new server inside an SSH tunnel that may bypass any internal controls that are looking for malware and such between the user network segments and the server segments.

[GigaBuist]

I bet if you push them for the reason they'll say ssh is insecure.

No, really.  There was a period of time (early aughts?) where it felt like there was a new local ssh exploit ever month.  Some people never forget that kind of stuff and sometimes they set the rules.

[AJ Dual]

Yeah, there's IT folks/manager types who've only ever even heard of SSH because of some guy using it to surf from home and avoid the corp proxy to look at pr0nz and whatnot.  And doesn't even have a concept of whether or not the SSH has endpoints within or without company firewalls.

From years of experience with Corp./I.T. freak-outs.. The best way to go about this is to have the person highest up in your org chart who understands what you're trying to do and approves/supports it, contact the person as high as they can get in the I.T. org-chart of the tech who gave you SSH, then freaked and revoked it, and hammer out some sort of deal of what you can and can't do to support your document repository.

[zahc]

I wonder if the IT folks are freaking out now that there is a server on the network doing things outside of their official purview... an "end user" managing a server that they are ultimately responsible for.  There could be concern that this "rogue" server hosts data outside of the accepted systems It provides.

It's not a "now that" situation; the server I'm on has been up quite some time and has other users. They did create a new account for me, but I'm not doing anything different than the other users. Like I said, there is at least one other website on the thing already, used for a different department. And they haven't downgraded my permissions or changed anything about what I'm allowed to do; just removed my ability to connect via ssh.

I'm not sure how SSH would play into that, unless they are concerned about your ability to directly write data to this new server inside an SSH tunnel that may bypass any internal controls that are looking for malware and such between the user network segments and the server segments.

As far as I know VNC doesn't encrypt the connection itself. So maybe they basically want the ability to snoop my session, and ssh doesn't allow that?  That could make sense I guess, but I'm a guest on their server, so it's not like I can get away with a bunch anyway. I don't care if my session is secure (it's just company data, not personal, so it's their responsibility), so is there a way to de-encrypt ssh (telnet?)? Seems all backward to me, but I'm not IT I just want to be able to administer my site through ssh and scp.

From the limited amount I know, as long as they are blocking ssh on the proxy servers, then I/nobody will be able to get in from outside, which is perfectly fine with me. Maybe there was a misunderstanding there, and they think I was granted ssh access through the proxy servers/firewall (gosh I need to like get a book on networking or something).

[AJ Dual]

Maybe there was a misunderstanding there, and they think I was granted ssh access through the proxy servers/firewall (gosh I need to like get a book on networking or something).

More likely it's this. Or something similar.

Always assume incompetence before malice.

[Harold Tuttle]

We had a help desk guy FTP php code onto a production server.

You can 't have tier one support contracts on a duct taped dingy

[Hutch]

Btw, this is the classic use case for Sharepoint.  Just sayin'.

[RevDisk]

Btw, this is the classic use case for Sharepoint.  Just sayin'.

Any user of mine asks for Sharepoint, there may be an unfortunate accident. The backend code looks remarkably like Cthulu did the architecture design. There lies madness. I like the idea of a CMS integrated with AD. But Sharepoint is NOT fun to keep working.

No kidding. A major defense contractor is running their flight safety stuff on a Sharepoint instance I installed by clicking all defaults. I installed it just to check it out. Ended up running a LOT of mission critical procedures. May the Gods forgive me, I knew not what I unleashed upon the world. Worst part? Parent company liked it so much, they're rolling it out to OTHER major defense contractors.

*weeps*

Screw IT. IT is not your friend.

Have plenty of users who say that.  Usually after explaining that installing "free games" loaded with malware on a PC that handles customer financial information might not be the best idea. Or that they need their supervisor's permission before using personal equipment for work purposes. Or using the company cell phone and cell modem outside the US, racking up thousands of dollars in charges.

Some IT departments are indeed not customer focused. Others just have to play by rules that suck. SOX, FAA, ITAR/EAR, etc. Heck, sometime parent company rules are the worst, and hardest to successfully implement. 

In this case, VNC instead of SSH, someone needs beaten with a telephone book. WTF. Sure, any SSH traffic crossing the router to or from the interwebz should be viewed carefully. Internal? 

[Fitz]

Sharepoint is the devil, indeed. But it sounds very fitting for your use. May want to look into it.


If you don't have a heavy load, a simple standalone sharepoint installation should be sufficient.


My environment, a collaborative environment for several state/fed law enforcement agencies , exists for border security stuff. We have a 5 server sharepoint farm (well 10, if you count the "test" environment) with a bunch of incident reporting tools, a big ol' map, custom webparts to display video feeds, GIS data, officer locations, etc.

But the core of it is the collaboration features, document libraries that multiple users can "check out" make changes to, etc.

It's pretty cool, even though it's the devil.

[RevDisk]

A wiki format might be better, maybe?  I set up a secure extranet for a band, they use TikiWiki to good purposes. 

[zahc]

The solution we came up with is for me to ssh to the VNC server. So far I haven't found a problem with this except I have to use a different URL, but it does make me wonder who comes up with the policy. As far as I know, this means I'm using SSH to send encrypted data to a VNC server which forwards it as clear text to the actual webserver. This sounds like a bad security practice but hey, as long as I can admin my site it's not my business.  

[Nick1911]

A wiki format might be better, maybe?  I set up a secure extranet for a band, they use TikiWiki to good purposes.  

Nuts.  You beat be to it; wiki FTW.

[RevDisk]

Nuts.  You beat be to it; wiki FTW.

It makes a better CMS than most CMSs.

The solution we came up with is for me to ssh to the VNC server. So far I haven't found a problem with this except I have to use a different URL, but it does make me wonder who comes up with the policy. As far as I know, this means I'm using SSH to send encrypted data to a VNC server which forwards it as clear text to the actual webserver. This sounds like a bad security practice but hey, as long as I can admin my site it's not my business.  

As an IT professional, WTF?

Based on empirical evidence, your IT policy personnel need to stop sniffing glue and open a window.

[zahc]

Another strange thing. My upload scripts use scp. The scripts worked fine using the VNC server kludge, but yesterday I decided I didn't like using csh which is what I get on the server. I tried to change my shell using chsh, but that doesn't work with network-mounted stuff apparently, and it tells you to use ypchsh. However, that fails with a strange syntax error message. So I gave up and just put /bin/bash --login into my .cshrc file so it would just start bash when I log in. This works--when I log in I get a bash prompt instead of a csh prompt--but scp no longer works. It prompts for the password, but then hangs. I can have by bash or my scp but not eat it too, apparently.

[GigaBuist]

I tried to change my shell using chsh, but that doesn't work with network-mounted stuff apparently, and it tells you to use ypchsh. However, that fails with a strange syntax error message.

Trivia: The 'yp' prefix is from Yellow Pages which is what Network Information Services (NIS) was called before a trademark dispute forced the name change.

I haven't seen NIS used since my college years (1998-2000) so I have no idea what would be wrong.