Date: Wed, 16 Sep 2020 20:07:32 +0200 (CEST) From: sthaug@nethelp.no To: emaste@freebsd.org Cc: freebsd-current@freebsd.org Subject: Re: Deprecating ftpd in the FreeBSD base system? Message-ID: <20200916.200732.288885950.sthaug@nethelp.no> In-Reply-To: <CAPyFy2BHki84KuzP94AqTLk7v9FTAnLP-sa4HaFLq0kdxt0dEQ@mail.gmail.com> References: <CAPyFy2BHki84KuzP94AqTLk7v9FTAnLP-sa4HaFLq0kdxt0dEQ@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
> FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email here. Could we, at the same time, improve the documentation for sftp? I had to move an FTP server (with one chrooted user) from FTP to sftp today. I did: 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. 2. Patch sshd config as follows: --- etc/ssh/sshd_config.orig 2018-06-16 22:04:20.868762000 +0200 +++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200 @@ -112,7 +112,7 @@ #Banner none # override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server +Subsystem sftp internal-sftp -l INFO # Example of overriding settings on a per-user basis #Match User anoncvs @@ -120,3 +120,8 @@ # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server +Match User sftp +ChrootDirectory /usr/local/ftp/sftp +ForceCommand internal-sftp -l INFO +X11Forwarding no +AllowTcpForwarding no 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. 4. Create /usr/local/ftp/sftp/dev and add the following line to /etc/rc.conf: syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log" Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error message: "Received message too long 1416128883". Googling that one eventually led me to the internal-sftp subsystem and the rest of the sshd_config changes. The sshd_config man page is good, but I couldn't find anything about arguments (e.g. -l) for internal-sftp. Steinar Haug, Nethelp consulting, sthaug@nethelp.no
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20200916.200732.288885950.sthaug>