From owner-freebsd-stable@FreeBSD.ORG Sun Jan 8 21:27:15 2012 Return-Path: Delivered-To: freebsd-stable@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 46B0F106566C for ; Sun, 8 Jan 2012 21:27:15 +0000 (UTC) (envelope-from lists@sylac.de) Received: from moutng.kundenserver.de (moutng.kundenserver.de [212.227.17.10]) by mx1.freebsd.org (Postfix) with ESMTP id CA6AA8FC0C for ; Sun, 8 Jan 2012 21:27:14 +0000 (UTC) Received: from localhost (91-64-127-95-dynip.superkabel.de [91.64.127.95]) by mrelayeu.kundenserver.de (node=mreu2) with ESMTP (Nemesis) id 0MTcI8-1SAVB73DPs-00Qr5n; Sun, 08 Jan 2012 22:14:06 +0100 Date: Sun, 8 Jan 2012 22:14:04 +0100 From: Hans Snehl To: Wolfgang Zenker Message-ID: <20120108211404.GA7057@tunchi> References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20120105153724.GA91242@lyxys.ka.sub.org> User-Agent: Mutt/1.5.21 (2010-09-15) X-Provags-ID: V02:K0:rksIomQ51TwDzq5J3Qv/KTFRt2xz2NfP6CA58INyn2E 1tqzDGEaCryb5BptIvfG0ZLHQSvn2Ze9XisPbyCbm5RR/OFUwa igAkcIozV6P+96LydD1aHUAqaF/s1yFeOzqQ26Twt62ecAkDO9 Wm9zGrMpMujDSIfyjS2hkI+/mwaRRICd9Z4Q2Kc6QLeyt75tGa sLY0Oaxqi+q35NBHA/DbJcBFimfDZXbaSG9OGkdNzsxZ1RIzQ5 t+cmh3J6KG7pWyvxpHKMbLiWYlTUEcrsXMEq3NrVdlJI6Nh34W nnskvAVAQdhlOEOsy5pYfPsNFCtuJT1JeM/1V3DZUKfXWAvbg= = Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 08 Jan 2012 21:27:15 -0000 On Thu, Jan 05, 2012 at 04:37:24PM +0100, Wolfgang Zenker wrote: > Hi everyone, > > * Matthew Seaman [120105 14:38]: > > On 05/01/2012 12:47, Karl Denninger wrote: > >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported > >> by FreeBSD? > > > No, not supported in the base system. > > >> [..] > > However, personally, I'd avoid FTPS. It suffers from most of the design > > flaws of standard FTP[*], particularly as regards passing through > > firewalls. Worse, because the traffic is encrypted, you can't even use > > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient > > port numbers by deep packet inspection. As far as your users are > > concerned, just use SFTP. It behaves exactly like an ordinary FTP > > client, but the underlying SSH protocol over the network is way, way > > better designed. > > Well, the problem I have here is at the server side: ftp users can be > locked in a particular subtree of the file system by simply assigning > them a chrooted login class. No need to setup any infrastructure in > that subtree itself. Did not find out how to do this with sftp (we only > allow publickey authentication with ssh at our servers) > > Wolfgang We do the following on a not too busy server with sftp and only pubkey authentication. Also this might alleviate the possible headaches expected to arise with readable and possibly writable root owned directories. Given sftp access is to be chrooted into user "someone" 's home directory this is owned by root ( sftp wants that) The actual chroot is $HOME/depot and sshd is to proceed according to Match User someone ChrootDirectory %h/depot ForceCommand internal-sftp Users are chrooted into $HOME/depot, so there is no access to things like .ssh and else, and for sftp users $HOME/depot is readonly ro@# ls -la total 6 drwxr-xr-x 4 root someone 4 Oct 14 15:23 . drwxr-xr-x 4 root wheel 4 May 20 09:37 .. drwx------ 2 someone someone 3 Oct 14 14:18 .ssh drwxr-xr-- 3 root someone 4 Oct 28 07:43 depot Creating another directory e.g. 'upload' under depot with owner 'someone' gives write access to sftp users in 'upload'. ro# ls -la depot/ total 6 drwxr-xr-- 3 root someone 4 Oct 28 07:43 . drwxr-xr-x 4 root someone 4 Oct 14 15:23 .. -rw-r--r-- 1 root someone 55 Oct 27 18:08 bt1hash drwxr-xr-x 2 someone someone 3 Oct 28 07:44 upload Might fit your needs. Hans