From owner-freebsd-current@freebsd.org Wed Sep 16 18:07:43 2020 Return-Path: Delivered-To: freebsd-current@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 3347A3ED0B1 for ; Wed, 16 Sep 2020 18:07:43 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from bizet.nethelp.no (bizet.nethelp.no [IPv6:2001:8c0:9e04:500::1]) by mx1.freebsd.org (Postfix) with ESMTP id 4Bs7Ns2j2nz44Rt; Wed, 16 Sep 2020 18:07:41 +0000 (UTC) (envelope-from sthaug@nethelp.no) Received: from localhost (bizet.nethelp.no [IPv6:2001:8c0:9e04:500::1]) by bizet.nethelp.no (Postfix) with ESMTP id BF197E6047; Wed, 16 Sep 2020 20:07:32 +0200 (CEST) Date: Wed, 16 Sep 2020 20:07:32 +0200 (CEST) Message-Id: <20200916.200732.288885950.sthaug@nethelp.no> To: emaste@freebsd.org Cc: freebsd-current@freebsd.org Subject: Re: Deprecating ftpd in the FreeBSD base system? From: sthaug@nethelp.no In-Reply-To: References: X-Mailer: Mew version 6.7 on Emacs 26 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: 4Bs7Ns2j2nz44Rt X-Spamd-Bar: / X-Spamd-Result: default: False [0.23 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.03)[-1.030]; MV_CASE(0.50)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; DMARC_NA(0.00)[nethelp.no]; R_SPF_ALLOW(-0.20)[+mx]; NEURAL_HAM_LONG(-1.01)[-1.012]; NEURAL_HAM_SHORT(-0.13)[-0.128]; RCPT_COUNT_TWO(0.00)[2]; FROM_NO_DN(0.00)[]; MID_CONTAINS_FROM(1.00)[]; RCVD_COUNT_ONE(0.00)[1]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:2116, ipnet:2001:8c0::/29, country:NO]; SUBJECT_ENDS_QUESTION(1.00)[]; MAILMAN_DEST(0.00)[freebsd-current]; ONCE_RECEIVED(0.10)[] X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.33 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 16 Sep 2020 18:07:43 -0000 > FTP is (becoming?) a legacy protocol, and I think it may be time to > remove the ftp server from the FreeBSD base system - with the recent > security advisory for ftpd serving as a reminder. > > I've proposed adding a deprecation notice to the man page in > https://reviews.freebsd.org/D26447 to start this off. There are a > number of ftp servers in ports, and if we're going to remove the base > system one we can create a port for it first, as well. > > Any comments or concerns, please follow up in the code review or in email here. Could we, at the same time, improve the documentation for sftp? I had to move an FTP server (with one chrooted user) from FTP to sftp today. I did: 1. Add sftp user to /etc/passwd, with /usr/sbin/nologin as the shell. 2. Patch sshd config as follows: --- etc/ssh/sshd_config.orig 2018-06-16 22:04:20.868762000 +0200 +++ etc/ssh/sshd_config 2020-09-16 10:10:53.133211000 +0200 @@ -112,7 +112,7 @@ #Banner none # override default of no subsystems -Subsystem sftp /usr/libexec/sftp-server +Subsystem sftp internal-sftp -l INFO # Example of overriding settings on a per-user basis #Match User anoncvs @@ -120,3 +120,8 @@ # AllowTcpForwarding no # PermitTTY no # ForceCommand cvs server +Match User sftp +ChrootDirectory /usr/local/ftp/sftp +ForceCommand internal-sftp -l INFO +X11Forwarding no +AllowTcpForwarding no 3. Ensure all levels of /usr/local/ftp/sftp are owned by root. 4. Create /usr/local/ftp/sftp/dev and add the following line to /etc/rc.conf: syslogd_flags="-s -l /usr/local/ftp/sftp/dev/log" Btw, I could not get /usr/libexec/sftp-server to work. Cryptic error message: "Received message too long 1416128883". Googling that one eventually led me to the internal-sftp subsystem and the rest of the sshd_config changes. The sshd_config man page is good, but I couldn't find anything about arguments (e.g. -l) for internal-sftp. Steinar Haug, Nethelp consulting, sthaug@nethelp.no