Date: Sun, 8 Jan 2012 22:14:04 +0100 From: Hans Snehl <lists@sylac.de> To: Wolfgang Zenker <wolfgang@lyxys.ka.sub.org> Cc: freebsd-stable@freebsd.org Subject: Re: FTPS Server? Message-ID: <20120108211404.GA7057@tunchi> In-Reply-To: <20120105153724.GA91242@lyxys.ka.sub.org> References: <4F059BEA.3000508@denninger.net> <4F05A7D5.8000403@infracaninophile.co.uk> <20120105153724.GA91242@lyxys.ka.sub.org>
next in thread | previous in thread | raw e-mail | index | archive | help
On Thu, Jan 05, 2012 at 04:37:24PM +0100, Wolfgang Zenker wrote:
> Hi everyone,
>
> * Matthew Seaman <m.seaman@infracaninophile.co.uk> [120105 14:38]:
> > On 05/01/2012 12:47, Karl Denninger wrote:
> >> Not SFTP (which is supported by the sshd) but FTPS.... is it supported
> >> by FreeBSD?
>
> > No, not supported in the base system.
>
> >> [..]
> > However, personally, I'd avoid FTPS. It suffers from most of the design
> > flaws of standard FTP[*], particularly as regards passing through
> > firewalls. Worse, because the traffic is encrypted, you can't even use
> > tools like ftp-proxy (in ports as ftp/ftp-proxy) to extract transient
> > port numbers by deep packet inspection. As far as your users are
> > concerned, just use SFTP. It behaves exactly like an ordinary FTP
> > client, but the underlying SSH protocol over the network is way, way
> > better designed.
>
> Well, the problem I have here is at the server side: ftp users can be
> locked in a particular subtree of the file system by simply assigning
> them a chrooted login class. No need to setup any infrastructure in
> that subtree itself. Did not find out how to do this with sftp (we only
> allow publickey authentication with ssh at our servers)
>
> Wolfgang
We do the following on a not too busy server with sftp and only pubkey
authentication.
Also this might alleviate the possible headaches expected to arise with
readable and possibly writable root owned directories.
Given sftp access is to be chrooted into user "someone" 's home
directory this is owned by root ( sftp wants that)
The actual chroot is $HOME/depot and sshd is to proceed according to
Match User someone
ChrootDirectory %h/depot
ForceCommand internal-sftp
Users are chrooted into $HOME/depot, so there is no access
to things like .ssh and else, and for sftp users $HOME/depot
is readonly
ro@# ls -la
total 6
drwxr-xr-x 4 root someone 4 Oct 14 15:23 .
drwxr-xr-x 4 root wheel 4 May 20 09:37 ..
drwx------ 2 someone someone 3 Oct 14 14:18 .ssh
drwxr-xr-- 3 root someone 4 Oct 28 07:43 depot
Creating another directory e.g. 'upload' under depot with
owner 'someone' gives write access to sftp users in 'upload'.
ro# ls -la depot/
total 6
drwxr-xr-- 3 root someone 4 Oct 28 07:43 .
drwxr-xr-x 4 root someone 4 Oct 14 15:23 ..
-rw-r--r-- 1 root someone 55 Oct 27 18:08 bt1hash
drwxr-xr-x 2 someone someone 3 Oct 28 07:44 upload
Might fit your needs.
Hans
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20120108211404.GA7057>