From owner-freebsd-questions Tue Apr 23 17:58:39 2002 Delivered-To: freebsd-questions@freebsd.org Received: from dns1.digitalglobe.com (dns1.digitalglobe.com [205.166.175.34]) by hub.freebsd.org (Postfix) with ESMTP id DCEBC37B404; Tue, 23 Apr 2002 17:58:30 -0700 (PDT) Received: from lohr.digitalglobe.com (lohr.digitalglobe.com [10.10.11.18]) by dns1.digitalglobe.com (8.11.6/8.11.4) with ESMTP id g3O0wI833642; Tue, 23 Apr 2002 18:58:19 -0600 (MDT) Subject: Re: Secure Shell/FTP Questions From: John-David Childs To: Scott Pilz Cc: freebsd-questions@FreeBSD.ORG, freebsd-isp@FreeBSD.ORG In-Reply-To: <20020417192702.P43790-100000@mail.tznet.com> References: <20020417192702.P43790-100000@mail.tznet.com> Content-Type: text/plain Content-Transfer-Encoding: 7bit X-Mailer: Ximian Evolution 1.0.3 Date: 23 Apr 2002 18:58:18 -0600 Message-Id: <1019609899.26506.124.camel@lohr.digitalglobe.com> Mime-Version: 1.0 Sender: owner-freebsd-questions@FreeBSD.ORG Precedence: bulk List-ID: List-Archive: (Web Archive) List-Help: (List Instructions) List-Subscribe: List-Unsubscribe: X-Loop: FreeBSD.ORG On Wed, 2002-04-17 at 18:32, Scott Pilz wrote: > > I have two questions that no one seems to be able to answer for me > - nor can I find any straight forward answers over the internet. This is > my last hope . . . > > #1: sshd is enabled, and works - however, to my understanding you > cannot have secure ftp connections chrooted directly to the users home > directory like you can on normal FTP by putting the username in > /etc/ftpchroot. Correct. > Can this be done? Yes. The easiest way to do it is to install the SSH Software from the official SSH Communications Security Corp (SSH.COM, not OpenSSH.COM) package (/usr/ports/security/ssh2 in a recent ports build). This will install a program called ssh-dummy-shell, which should be the shell for all users on your system. You must be able to quality for the non-commercial version license. From the license: To qualify for a Non-Commercial Version License, You must: (1) use the Software solely on a system under the Linux, FreeBSD, NetBSD, or OpenBSD operating system (whether for commercial or non-commercial use), or (2) use the Software for non-commercial purposes as defined herein and be a Non-Commercial Entity as defined herein, or (3) be an University User as defined herein, or (4) be an Excluded Contractor as defined herein. Here's a link to a FAQ on the subject of CHROOTing sftp on Linux... http://www.ssh.com/faq/index.cfm?id=687 In essence, you must build a static SSHd, put your sftp-users (or all users) in the same group, and add that group to the sshd2_config file (ChRootGroup ) ============================ If you want to do this with OpenSSH, then you probably need to build your own ssh-dummy-shell (or something equivalent). All it really needs to do is call chroot and exec sftp-server (so sftp-server has to be available in the chrooted environment, and has to be a statically-linked binary). A google search will come up with at least one example of this (I was researching this very issue a few weeks ago). Is there another freeware program for > BSD that supports SSH/FTP that can do this? > > Lastly, what are most ISP's doing as far as secure shells and what > not? Is this the popular way of doing it, or is there a better way out > there? > Currently, shells on the systems I admin are set to either /bin/false or /usr/bin/passwd. I'm looking at doing sftp-dummy-shell myself though on a new machine used for S/FTP. > thanks in advance, > > Scott > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message