From owner-freebsd-questions@FreeBSD.ORG Mon Mar 22 07:17:49 2010 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id C0931106566B for ; Mon, 22 Mar 2010 07:17:49 +0000 (UTC) (envelope-from antinix@gmail.com) Received: from mail-ww0-f54.google.com (mail-ww0-f54.google.com [74.125.82.54]) by mx1.freebsd.org (Postfix) with ESMTP id 552A28FC0C for ; Mon, 22 Mar 2010 07:17:49 +0000 (UTC) Received: by wwb34 with SMTP id 34so44405wwb.13 for ; Mon, 22 Mar 2010 00:17:48 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:mime-version:sender:received:in-reply-to :references:from:date:x-google-sender-auth:message-id:subject:to :content-type:content-transfer-encoding; bh=o+evsmejyWPIeLxcTELdzxP57c87lxGDmFS4lqwh6k4=; b=YUymmoDG5y9VHMdtcUQBYUEYoMaRXqb7tAn9MD9/9I0n9BM2JSEph66ckSdo2/WLQW wYy4RMvQYb38g2V1mXv6WbfzcsfGtuOnYOmRB5kzC7byTpGjaGjAY2EWLvbLqsGjUXFN G7Z2TrdH6dnjcS1aupe90aaCkdkfWN6jhFxdk= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:from:date :x-google-sender-auth:message-id:subject:to:content-type :content-transfer-encoding; b=oF/qShg8MLKc2Wsrbj+TL7TIZ9LPwTAClIeHM8OZdYpvrDfnQlbWGMAcv2NONfuxDr Jd8F791yenibvZ8RQWptLnmnCMco3OFP1oMpElxdWiBrUOw0svILHDUqvzu5KUSunyEK f1YRp0Gu1CVVcdoncFxfWcTp4XtifzVIpvezk= MIME-Version: 1.0 Sender: antinix@gmail.com Received: by 10.216.87.7 with SMTP id x7mr3029592wee.53.1269240956282; Sun, 21 Mar 2010 23:55:56 -0700 (PDT) In-Reply-To: References: From: Andrei Kolu Date: Mon, 22 Mar 2010 08:55:36 +0200 X-Google-Sender-Auth: 1788e734aadb32bc Message-ID: <10263ac1003212355v358f70edx665353fd556a0fa4@mail.gmail.com> To: freebsd-questions@freebsd.org Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Subject: Re: sftp server with speed throttling X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 22 Mar 2010 07:17:49 -0000 2010/3/21 Dan Naumov : > What are my options if I want to run an sftp server with speed > throttling? My understanding is that openssh (which includes sftp) in > base does not support this directly, so I would have to either use a > custom kernel with ALTQ (and I would really rather stick to GENERIC so > I can use freebsd-update) which sounds like a bit too much > configuration work or pass sftp traffic through PF and throttle it > (ugly, would also affect ssh traffic). > > Are there any sftp servers with directly built-in functionality for > this? I just would to be able to set limits for upload speed globally > for the entire server and preferably to also be able to do speed > settings on a per-user basis. > > Only OpenSSH alternative I use sometimes is http://www.freebsd.org/cgi/url.cgi?ports/security/ssh2-nox11/../ssh2/pkg-de= scr security/ssh2-nox11 Not about throttling but about chrooting: ---------------------------------------------------------------------------= ---- Date: Tue, 20 Aug 2002 08:35:46 +0930 To: Philip Paeps From: Wincent Colaiuta El Thursday, 15 August, 2002, a las 11:13 PM, Philip Paeps escribi=F3: > I'm in the process of setting up a form of fileserver, and I'd like for > my > users to be able to work only in their home directories, not anywhere > else. I > would like to use SSH for the connections, as opposed to FTP, but I > don't want > users to be able to log into an interactive shell (only SCP/SFTP) and I > don't > want them to 'escape' out of their home directories. Use ssh2 from the ports collection: cd /usr/ports/security/ssh2 && make install In /usr/local/etc/ssh2/sshd2_config set the ChRootGroups and ChRootUsers directives to chroot the group(s) and/or user(s) that are to have ChRooted access. Turn off the default ssh (OpenSSH) by setting in /etc/rc.conf: sshd_enable=3D"NO" Start the new ssh: /usr/local/etc/rc.d/sshd.sh start When you create the user's account, make sure the shell is set to /bin/nologin or something similar. With this setup, they can sftp in and are chroot to the home dir, and they can't get a shell when they connect via ssh. In my opinion, OpenSSH should have this feature. We are told not to use ftp because of clear-text passwords, so we have to use ssh/sftp, but when we do that we can no longer chroot people to their home dirs! And if we're not careful, we end up giving them a login shell. Using ssh2 from the ports gets around this limitation, but just check the licence before you install to make sure that you qualify (otherwise it's not free). Cheers :-) Wincent ---------------------------------------------------------------------------= ----