From owner-freebsd-questions@FreeBSD.ORG Fri Mar 12 10:07:35 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 48FD7106566B for ; Fri, 12 Mar 2010 10:07:35 +0000 (UTC) (envelope-from kraduk@googlemail.com) Received: from mail-fx0-f209.google.com (mail-fx0-f209.google.com [209.85.220.209]) by mx1.freebsd.org (Postfix) with ESMTP id C5E098FC12 for ; Fri, 12 Mar 2010 10:07:34 +0000 (UTC) Received: by fxm1 with SMTP id 1so299552fxm.13 for ; Fri, 12 Mar 2010 02:07:33 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=googlemail.com; s=gamma; h=domainkey-signature:mime-version:received:in-reply-to:references :date:message-id:subject:from:to:cc:content-type; bh=YOqPfW/1XnYFmJ/FctTaIcGIDl0lG0VlWdV4/Wkkuq8=; b=xqbhO/w7BSD0rc8uzyE32+bjKfCcILN508/oNDS1g2cgGKtbzt+eDidA2AsUzfB7uw gC8k1t+TrR7E7/vki1W6LBPkheDKfEFf1bGFJ+EXRWBn27t4Molfkoq6hjimQErakM6z RwRnXfFOnOPXmepIOw2nBi8L/IkTGx0/uw5xE= DomainKey-Signature: a=rsa-sha1; c=nofws; d=googlemail.com; s=gamma; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; b=CfZPY8jyaUOZ3upUk306pjI6rSxBjJDLRdbFBP7Sv7AVWTbKW7YJvNbCKxQOwOSfft R4/8iJYsnBHR3F3uPYBFcp0PpxzzUoqVYzxJeMnzETi6XPFC7fC9Be15E6QCbJS6LK/A EXxvzV82LSiGy3IhWZzXibGhpGfr6YhT4lDks= MIME-Version: 1.0 Received: by 10.239.146.210 with SMTP id x18mr434151hba.77.1268388453527; Fri, 12 Mar 2010 02:07:33 -0800 (PST) In-Reply-To: <201003120827.o2C8RChV025564@banyan.cs.ait.ac.th> References: <4B99F9CB.8010601@eskk.nu> <201003120827.o2C8RChV025564@banyan.cs.ait.ac.th> Date: Fri, 12 Mar 2010 10:07:33 +0000 Message-ID: From: krad To: Olivier Nicole Content-Type: text/plain; charset=ISO-8859-1 X-Content-Filtered-By: Mailman/MimeDel 2.1.5 Cc: freebsd-questions@freebsd.org, leslie@eskk.nu Subject: Re: I want to instal a "secure" ftp server X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Mar 2010 10:07:35 -0000 On 12 March 2010 08:27, Olivier Nicole wrote: > Hi, > > > I need to have ftp access to a machine. I've found pure-ftpd but it was > > Hummm, you want the short answer? Don't enable ftp :) > > Ftp only accepts plain text passwords (until you enable things like > kerebos, one time password, etc), so it is not, it cannot be, secure. > > SFTP is there, working easily, ready to use, with a decent Windows > client WinSCP (winscp.net) > > Best regards, > > Olivier > _______________________________________________ > freebsd-questions@freebsd.org mailing list > http://lists.freebsd.org/mailman/listinfo/freebsd-questions > To unsubscribe, send any mail to " > freebsd-questions-unsubscribe@freebsd.org" > enable sftp in ssh and chroot all the users and make the sftp only accounts I wrote this guide for work a year or so ago. It was for solaris but it was using openssh so should work fine on bsd 1. Dont bother with sun ssh it wont work. Opensolaris and later solaris 10 are bundled with openssh though. 2. Make sure openssh version is 5 or above (some 4s do work but 5 better) 3. Add these lines to sshd config Match Group sftponly ChrootDirectory /home/chroot/%u X11Forwarding no AllowTcpForwarding no ForceCommand internal-sftp 4. Make sure the Subsystem line is this Subsystem sftp internal-sftp 5. create the sftponly group on the system 6. put the relevent users in this group. be careful as you will stop them being able to ssh in!! 7. Dead important this bit !!! mkdir -p /home/chroot//home//.ssh chown -R root /home/chroot/ chown -R /home/chroot/ chmod -R 755 /home/chroot/ /home/chroot//home/ ln -s /home/chroot//home/ /home/. 8. Put their ssh keys in /home/chroot//home//.ssh All should now work